Adobe Patches – unannounced (MAR-2011)

Adobe has released an unannounced out-of cycle release.

Adobe categorizes these updates with the following priority and severity ratings, and recommends users update their installations to the newest versions:
Priority: 2
Severity: Critical

Bulletin	Description	Severity	Impact	Software
APSB12-05	Security update available for Adobe Flash Player	Remote Code Execution	critical	Adobe Flash Player

LINKS:
[1.] Adobe – Security bulletins and advisories (2012-Mar-05) [Adobe]
[2.] Adobe Flash Player Security Update (2012-Mar-05) [SANS]

Adobe Patch – Adobe Flash Player

On 21 Sep 2011, Adobe released an updated version of Flash Player.

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. [1]

Bulletin	Description	Severity	Impact	Software
APSB11-26	Security update available for Adobe Flash Player	Remote code execution	Critical	Adobe Flash Player

PATCH NOW:
APSB11-26 – There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

Shockwave, Flash ad Acrobat installers are available via http://www.adobe.com/downloads/

LINKS:
[1.] Adobe – Security bulletins and advisories (2011-Sep-21) [Adobe]
[2.] Prenotification: Security Update for Flash Player (2011-Sep-) [Adobe PSIRT Blog]
[3.] Emergency patch expected for Flash Player (2011-Sep-21) [SANS]

Adobe Patches (AUG-2011)

Bulletin	Description	Severity	Impact	Software
APSB11-19	Security update available for Adobe Shockwave Player	Random code execution	Critical	Adobe Shockwave Player
APSB11-20	Security updates available for Adobe Flash Media Server	Random code execution	Critical	Adobe Flash Media Server
APSB11-21	Security updates available for Adobe Flash Player	Random code execution	Critical	Adobe Flash Player
APSB11-22	Security updates available for Adobe Photoshop CS5	Random code execution	Critical	Adobe Photoshop CS5
APSB11-23	Security updates available for RoboHelp	Cross site scripting (XSS) vulnerability	Important	RoboHelp

PATCH NOW:
APSB11-19, APSB11-20, APSB11-21, APSB11-22

Shockwave, Flash ad Acrobat installers are available via http://www.adobe.com/downloads/

LINKS:
[1.] Adobe – Security bulletins and advisories (2011-Aug-09) [Adobe]
[2.] Adobe August 2011 Black Tuesday Overview (2011-Aug-09) [SANS]

Adobe Patches (JUN-2011)

Bulletin	Description	Severity	Impact	Software
APSB11-14	Security update: Hotfix available for ColdFusion	Cross-Site Request Forgery (CSRF) or a remote Denial-Of-Service (DoS)	Important	ColdFusion
APSB11-15	Security update available for LiveCycle Data Services, LiveCycle ES, and BlazeDS	Denial of Service	Important	LiveCycle Data Services, BlazeDS
APSB11-16	Security updates available for Adobe Reader and Acrobat	Remote Code Execution	Critical	Adobe Reader, Acrobat
APSB11-17	Security update available for Adobe Shockwave Player	Remote Code Execution	Critical	Adobe Shockwave Player
APSB11-18	Security update available for Adobe Flash Player	Remote Code Execution	Critical	Adobe Flash Player

PATCH NOW:
APSB11-16, APSB11-17, APSB11-18

LINKS:
[1.] Adobe – Security bulletins and advisories (2011-Jun-14) [Adobe]
[2.] Adobe releases patches (2011-Jun-14) [SANS]

Adobe security updates (AUG-2010)

Adobe’s Bulletins and advisories for this month;

Bulletin	Description	Severity	Impact	Software
APSB10-16	Security update available for Adobe Flash Player	Remote Code Execution	Critical	Adobe Flash Player, Adobe AIR
APSB10-17	Security Advisory for Adobe Reader and Acrobat	Notification out-of-band release	Critical	Adobe Flash Player, Adobe AIR
APSB10-18	Security update: Hotfix available for ColdFusion	Directory traversal vulnerability	Important	ColdFusion
APSB10-19	Security update available for Adobe Flash Media Server	Remote Code Execution	Critical	Flash Media Server

LINKS:
[1] Security bulletins and advisories [Adobe]
[2] Adobe critical security updates (2010-Aug-10) [SANS]

Adobe Reader 9.3.3

Summary [1]
Critical vulnerabilities have been identified in Adobe Reader 9.3.2 (and earlier versions) for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.2 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.2 (and earlier versions) and Adobe Acrobat 8.2.2 (and earlier versions) for Windows and Macintosh. These vulnerabilities, including CVE-2010-1297 referenced in Security Advisory APSA10-01, could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9.3.2 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.3. …

Vulnerabilities addressed;
CVE-2010-1240, CVE-2010-1285, CVE-2010-1295, CVE-2010-1297, CVE-2010-2168, CVE-2010-2201, CVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205, CVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211, CVE-2010-2212

Vulnerability ratings: Critical vulnerabilities
Severity: Arbitrary code execution
Affects: Windows, Linux, and Mac OS X
Evaluation: Update now

LINKS:
[1] Security updates available for Adobe Reader and Acrobat APSB10-15 (2010-JUN-29) [Adobe]
[2] Adobe Reader 9.3.3/8.2.3 addressing CVE-2010-1297 (2010-JUN-29) [SANS]
[3] Adobe Reader and Acrobat 9.3.3 and 8.2.3 (2010-JUN-29) [Adobe Reader Blog]

Security Advisory for Flash Player, Adobe Reader and Acrobat

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. This advisory will be updated once a schedule has been determined for releasing a fix. [1]

Adobe has received reports indicating this vulnerability is being actively exploited in the wild against Adobe Flash Player, Adobe Reader and Acrobat. [2]

Mitigation:
* Flash Player 10.1 Release Candidate is reported as not vulnerable

* Adobe Reader and Acrobat 8.x are confirmed not vulnerable

* Adobe Reader and Acrobat 9.x are vulnerable

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content. [1]

UPDATE 2010-JUN-09:

We have received notification that a proof of concept (POC) has been found in malware taken from the wild and is currently being exploited.
For those that are Adobe users please patch before it is too late. [3]

UPDATE 2010-JUN-10:

Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions update to Adobe Flash Player 10.1.53.64. Adobe recommends users of Adobe AIR 1.5.3.9130 and earlier versions update to Adobe AIR 2.0.2.12610. [4]

LINKS:
[1] Security Advisory for Flash Player, Adobe Reader and Acrobat (2010-Jun-04) [Adobe]
[2] Security Advisory for Flash Player, Adobe Reader and Acrobat (2010-Jun-05) [SANS]
[3] Adobe POC in the Wild (2010-JUN-09) [SANS]
[4] Security update available for Adobe Flash Player APSB10-14 (2010-JUN-10) [Adobe]

Adobe Reader 9.3.2

Critical vulnerabilities have been identified in Adobe Reader 9.3.1 (and earlier versions) for Windows, Macintosh, and UNIX, Adobe Acrobat 9.3.1 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.1 (and earlier versions) and Adobe Acrobat 8.2.1 (and earlier versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader 9.3.1 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.2. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.2, Adobe has provided the Adobe Reader 8.2.2 update.) Adobe recommends users of Adobe Acrobat 9.3.1 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.2. Adobe recommends users of Acrobat 8.2.1 and earlier versions for Windows and Macintosh update to Acrobat 8.2.2.

Vulnerability ratings: Critical vulnerabilities
Severity: Arbitrary code execution
Affects: Windows, Linux, and Mac OS X
Evaluation: Update now

LINKS:
[1] Security Bulletins: APSB10-09 – Security update available for Adobe Reader and Acrobat: (2010-Apr-13) [Adobe]
[2] Security update available for Adobe Reader and Acrobat (2010-Apr-13) [SANS]

CRP-024

Adobe Download Manager critical vulnerability (APSB10-08)

Details
A critical vulnerability has been identified in the Adobe Download Manager. This vulnerability (CVE-2010-0189) could potentially allow an attacker to download and install unauthorized software onto a user’s system.

The Adobe Download Manager is intended for one-time use. The Adobe Download Manager is designed to remove itself from the computer after use at the next computer restart. However, Adobe recommends users verify that a potentially vulnerable version of the Adobe Download Manager is no longer installed on their machine using the instructions in the Solution section above.

Ensure that the C:\Program Files\NOS\ folder and its contents (“NOS files”) are not present on your system.

Vulnerability ratings: Critical
Affects: Windows
Evaluation: Check for the C:\Program Files\NOS\ folder now, mitigate if found

LINKS:
[1] Security update available for Adobe Download Manager (2010-Feb-23) APSB10-08 [Adobe]

CRP10-016

Adobe Reader 9.3.1 & Acrobat 9.3.1

Summary
A critical vulnerability has been identified in Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh. As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1. (For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has provided the Adobe Reader 8.2.1 update.) Adobe recommends users of Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.1. Adobe recommends users of Acrobat 8.2 and earlier versions for Windows and Macintosh update to Acrobat 8.2.1.

Vulnerability ratings: Critical
Affects: Windows, Linux, and Mac OS X
Evaluation: Update now

LINKS:
[1] Security updates available for Adobe Reader and Acrobat (2010-Feb-16) APSB10-07 [Adobe]

CRP10-014, CRP10-015