207 replies to this topic

[AplusWebMaster]

FYI...

Security Update available for Adobe Reader and Acrobat 8.1.2
- http://www.adobe.com.../apsb08-15.html
Release date: June 23, 2008
Vulnerability identifier: APSB08-15
CVE number: http://cve.mitre.org...e=CVE-2008-2641
Platform: All platforms
Affected software versions:
* Adobe Reader 8.0 through 8.1.2
* Adobe Reader 7.0.9 and earlier
* Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
* Adobe Acrobat Professional, 3D and Standard 7.0.9 and earlier
NOTE: Adobe Reader 7.1.0 and Acrobat 7.1.0 are not vulnerable to this issue. Adobe Reader 9 and Acrobat 9, expected to be available by July 2008, are also not vulnerable to this issue.

Summary:
A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 Security Update 1 patch.

Solution:
Acrobat 8 and Adobe Reader: Adobe recommends Adobe Reader 8 users update to Adobe Reader 8.1.2 Security Update 1, available at the links below:
For Windows: http://www.adobe.com....jsp?ftpID=3967
For Macintosh: http://www.adobe.com....jsp?ftpID=3966
Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com....jsp?ftpID=3976
Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com....jsp?ftpID=3977
Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 8.1.2 Security Update 1, available here: http://www.adobe.com....jsp?ftpID=3975
Users with Adobe Reader 7.0 through 7.0.9 should upgrade to Adobe Reader 7.1.0: http://www.adobe.com/go/getreader.
Acrobat 7
Adobe recommends Acrobat 7 users on Windows update to Acrobat 7.1.0, available here: http://www.adobe.com...latform=Windows
Adobe recommends Acrobat 7 users on Macintosh update to Acrobat 7.1.0, available here: http://www.adobe.com...tform=Macintosh

Severity rating:
Adobe categorizes this as an critical issue and recommends affected users update their installations...
NOTE: there are reports that this issue is being exploited in the wild..."

- http://blog.trendmic...it-causes-bsod/
June 25, 2008 - "...According to the Adobe Security Bulletin on this issue*, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2... As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads..."
* http://www.adobe.com.../apsb08-15.html

Edited by AplusWebMaster, 30 April 2010 - 08:00 PM.

[AplusWebMaster]

FYI...

Adobe Reader patch, now you see it, now you don't
- http://news.cnet.com...9979638-33.html
June 27, 2008

[AplusWebMaster]

FYI...

Security Update available for Adobe Reader 8 and Acrobat 8
- http://www.adobe.com.../apsb08-19.html
Release date: November 4, 2008
Vulnerability identifier: APSB08-19 ...
Platform: All Platforms
Summary:
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe Reader 9 and Acrobat 9 are -not- vulnerable to these issues.
Adobe recommends users of Acrobat 8 and Adobe Reader 8 who can’t update to Adobe Reader 9 install the 8.1.3 update to protect themselves from potential vulnerabilities...

Adobe Reader:
> Adobe recommends Adobe Reader users update to Adobe Reader 9, available here:
http://www.adobe.com/go/getreader [AdbeRdr90_en_US.exe]
> Users with Adobe Reader 8.0 through 8.1.2, who can’t update to Adobe Reader 9, should update to Adobe Reader 8.1.3:
http://www.adobe.com...llversions.html [AdbeRdr813_en_US.exe] ..."

- http://secunia.com/advisories/29773
Last Update: 2008-11-05
Critical: Highly critical
Impact: Privilege escalation, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D 8.x, Adobe Acrobat 8 Professional, Adobe Acrobat 8.x. Adobe Reader 8.x
Solution: Upgrade to version 9 or update to version 8.1.3...

http://web.nvd.nist....d=CVE-2008-2549
http://web.nvd.nist....d=CVE-2008-2992
http://web.nvd.nist....d=CVE-2008-4812
http://web.nvd.nist....d=CVE-2008-4813
http://web.nvd.nist....d=CVE-2008-4814
http://web.nvd.nist....d=CVE-2008-4815
http://web.nvd.nist....d=CVE-2008-4816
http://web.nvd.nist....d=CVE-2008-4817

Edited by AplusWebMaster, 06 November 2008 - 05:19 AM.

[AplusWebMaster]

FYI...

Adobe Reader v9 users w/AIR v1.1 installed
- http://isc.sans.org/...ml?storyid=5363
Last Updated: 2008-11-17 22:21:15 UTC - "...Adobe has released a bulletin and update to Adobe AIR* that they classify as critical. It fixes some of the same vulnerabilities announced earlier in Flash player. Time to update if you are using AIR..."
* http://www.adobe.com.../apsb08-23.html

> http://get.adobe.com/air/
Adobe AIR v1.5 Installer
http://web.nvd.nist....d=CVE-2008-5108

- http://secunia.com/advisories/32772/
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Edited by AplusWebMaster, 18 November 2008 - 05:30 AM.

[AplusWebMaster]

FYI...

Security Updates available for Adobe Reader 9 and Acrobat 9
- http://www.adobe.com.../apsb09-03.html
Release date: March 10, 2009
Vulnerability identifier: APSB09-03
CVE number: CVE-2009-0658
Platform: All Platforms...
Affected software versions:
Adobe Reader 9 and earlier versions
Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions
Solution: Adobe Reader
Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available here:
- http://get.adobe.com/reader/
Acrobat 9
Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update to Acrobat 9.1, available at the following URLs:
- http://www.adobe.com....jsp?ftpID=4375
- http://www.adobe.com....jsp?ftpID=4382
Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat 9.1, available here:
- http://www.adobe.com....jsp?ftpID=4381
Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1, available here:
- http://www.adobe.com....jsp?ftpID=4374
Severity rating:
Adobe categorizes this as a critical issue and recommends that users apply the update for their product installations...

> http://blogs.adobe.c...robat_91_u.html

[AplusWebMaster]

FYI...

Adobe Reader v8.1.4, v7.11 released
- http://isc.sans.org/...ml?storyid=6034
Last Updated: 2009-03-18 20:04:58 UTC - "Adobe has released security advisory APSB09-04* for Adobe Reader and Acrobat. The CVE entries related to the vulnerabilities being patched are CVE-2009-0658 and CVE-2009-0927. Current versions are now 9.1, 8.1.4, and 7.11. Updates for both Windows and Macintosh platforms are available..."
* http://www.adobe.com.../apsb09-04.html
Release date: March 18, 2009 - "... Users with Adobe Reader 7.0 through 8.1.3, who can’t update to Adobe Reader 9.1, should update to Adobe Reader 8.1.4 or Adobe Reader 7.1.1, available from one of the following links:
http://www.adobe.com...latform=Windows
http://www.adobe.com...tform=Macintosh ..."

As of March 24, Adobe has also made available the Adobe Reader 9.1 and Adobe Reader 8.1.4 updates for Unix...
- http://www.adobe.com...p;platform=Unix

- http://www.eset.com/...ter/blog/?p=805
March 20, 2009 - "...updating re-enables Acrobat JavaScript. While the update presumably (hopefully) fixes the recent vulnerabilities, I’m not sure I’d care to assume that no further vulnerabilities will be found. You might want to consider our earlier advice to disable it..."

- http://web.nvd.nist....d=CVE-2009-0193
- http://web.nvd.nist....d=CVE-2009-0658
- http://web.nvd.nist....d=CVE-2009-0927
- http://web.nvd.nist....d=CVE-2009-0928
- http://web.nvd.nist....d=CVE-2009-1061
- http://web.nvd.nist....d=CVE-2009-1062

Edited by AplusWebMaster, 25 March 2009 - 05:26 AM.

[AplusWebMaster]

FYI...

Adobe Reader 9.1.1 - Acrobat 9.1.1 released
- http://forums.whatth...=...st&p=558217
May 12, 2009 - "...Adobe categorizes this as a critical update ..."

- http://web.nvd.nist....d=CVE-2009-1492
- http://web.nvd.nist....d=CVE-2009-1493

[AplusWebMaster]

FYI...

Adobe Reader and Acrobat updated
- http://www.adobe.com.../apsb09-07.html
June 9, 2009
"Adobe Reader: Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com...latform=Windows .
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com...tform=Macintosh .

Acrobat: Acrobat Standard, Pro and Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com...latform=Windows .
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com...latform=Windows .
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com...tform=Macintosh ...

Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader and Acrobat update their product installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions above to protect themselves from potential vulnerabilities...
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."

- http://secunia.com/advisories/34580/2/
Release Date: 2009-06-10
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Partial Fix ...
Original Advisory: Secunia Research: http://secunia.com/s...search/2009-24/
Adobe: http://www.adobe.com.../apsb09-07.html

http://web.nvd.nist....d=CVE-2009-0198
http://web.nvd.nist....d=CVE-2009-0509
http://web.nvd.nist....d=CVE-2009-0510
http://web.nvd.nist....d=CVE-2009-0511
http://web.nvd.nist....d=CVE-2009-0512
http://web.nvd.nist....d=CVE-2009-0888
http://web.nvd.nist....d=CVE-2009-0889
http://web.nvd.nist....d=CVE-2009-1855
http://web.nvd.nist....d=CVE-2009-1856
http://web.nvd.nist....d=CVE-2009-1857
http://web.nvd.nist....d=CVE-2009-1858
http://web.nvd.nist....d=CVE-2009-1859
http://web.nvd.nist....d=CVE-2009-1861

Edited by AplusWebMaster, 14 June 2009 - 05:59 AM.
Added Secunia and CVE links...

[AplusWebMaster]

FYI...

Adobe Reader UNIX update v9.1.2
- http://www.adobe.com.../apsb09-07.html
June 16, 2009 - Bulletin updated with link to Adobe Reader UNIX update...
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com...p;platform=Unix ..."

.

[AplusWebMaster]

FYI...

Shockwave Player vuln - update v11.5.0.600 available
- http://www.adobe.com.../apsb09-08.html
June 23, 2009 - "A critical vulnerability has been identified in Adobe Shockwave Player 11.5.0.596 and earlier versions. This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system... To resolve this issue, Shockwave Player users on Windows should -uninstall- Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: http://get.adobe.com/shockwave/ . This issue is remotely exploitable..."

- http://voices.washin...x_for_adob.html
June 25, 2009 - "...Readers should be aware that by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."

http://web.nvd.nist....d=CVE-2009-1860
http://web.nvd.nist....d=CVE-2009-2186

- http://secunia.com/advisories/35544/2/
Release Date: 2009-06-24
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Shockwave Player 11.x ...
Solution: Uninstall versions prior to 11.5.0.600, restart the system, and install version 11.5.0.600:
http://get.adobe.com/shockwave/

- http://www.us-cert.g...e_for_shockwave
June 24, 2009

Edited by AplusWebMaster, 29 June 2009 - 10:52 AM.
Added SecurityFix link...

[AplusWebMaster]

FYI...

Adobe Shockwave v11.5.1.601 released
- http://www.adobe.com.../apsb09-11.html
July 28, 2009 - "...Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/ .
Users who are unable to update to version 11.5.1.601 of Shockwave Player should consider installing MS09-034. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Shockwave Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035... Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."

Once again ...
- http://voices.washin...x_for_adob.html
"... by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."

- http://secunia.com/advisories/36049/2/
Release Date: 2009-07-29
Critical: Highly critical
Impact: System access, Exposure of sensitive information, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: Shockwave Player 10.x, Shockwave Player 11.x, Shockwave Player 8.x, Shockwave Player 9.x
Solution: Update to version 11.5.1.601.
http://get.adobe.com/shockwave/
Original Advisory:
http://www.adobe.com.../apsb09-11.html ...

- http://www.us-cert.g...kware_player_11
updated July 31, 2009

Test site: http://www.adobe.com...ckwave/welcome/

Edited by AplusWebMaster, 01 August 2009 - 08:07 AM.

[AplusWebMaster]

FYI...

Adobe Reader v9.1.3 - Acrobat v9.1.3 released
- http://www.adobe.com.../apsa09-03.html
Last Updated: July 31, 2009
"...Adobe Reader
Users who download the full 9.1 installer from http://get.adobe.com/reader/ will be offered the Adobe Reader 9.1.3 patch by the Adobe Updater technology on first launch. Users can also click "Help > Check for Updates" to be sure their installation is fully patched and up-to-date...
Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com...latform=Windows.
... Adobe Reader 9.1.3 update - Multiple Languages | 1.6MB | 7/31/2009 ...
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com...tform=Macintosh.
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com...p;platform=Unix.
Acrobat
Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com...latform=Windows.
... Adobe Acrobat 9.1.3 Professional and Standard Update - Multiple Languages
1.6MB | 7/31/2009
Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com...latform=Windows.
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com...tform=Macintosh.
Severity rating
Adobe categorizes these as critical issues and recommends affected users patch their installations..."

[AplusWebMaster]

FYI...

Adobe Reader/Acrobat vuln - unpatched
- http://blogs.adobe.c...at_issue_1.html
October 8, 2009 - "Adobe is aware of reports of a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX. There are reports that this issue is being [u]exploited in the wild in limited targeted attacks; the exploit targets Adobe Reader and Acrobat 9.1.3 on Windows. Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly security update*, scheduled for release on October 13. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date..."
* http://www.adobe.com.../apsb09-15.html

- http://secunia.com/advisories/36983/2/
Release Date: 2009-10-09
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...

- http://blog.trendmic...ro-day-exploit/
Oct. 9, 2009 - "... users are recommended to disable JavaScript in Adobe Acrobat/Reader to mitigate the said attack. To do this, they should follow these steps:
1. Run Acrobat or Adobe Reader.
2. Go to Edit > Preferences.
3. Select JavaScript under the Categories tab.
4. Uncheck the “Enable Acrobat JavaScript” option.
5. Click OK..."

Edited by AplusWebMaster, 10 October 2009 - 09:14 AM.

[AplusWebMaster]

FYI...

Adobe Reader 9.2 and Acrobat 9.2 released
- http://www.adobe.com.../apsb09-15.html
October 13, 2009 - "... This update resolves a heap overflow vulnerability that could lead to code execution (CVE-2009-3459*)... Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: Windows, Macintosh and UNIX...
Solution:
Adobe Reader
- Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com...latform=Windows
- Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com...tform=Macintosh
- Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com...p;platform=Unix
Acrobat
- Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com...latform=Windows
- Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com...latform=Windows
- Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com...latform=Windows
- Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com...tform=Macintosh ..."

* http://web.nvd.nist....d=CVE-2009-3459
Last revised: 10/13/2009
CVSS v2 Base Score: 9.3 (HIGH)

Adobe Plugs 29 Critical Reader, Acrobat Holes
- http://voices.washin..._reader_ac.html
October 13, 2009

CVE-2007-0048, CVE-2007-0045, CVE-2009-2564, CVE-2009-2979, CVE-2009-2980, CVE-2009-2981, CVE-2009-2982, CVE-2009-2983, CVE-2009-2984, CVE-2009-2985, CVE-2009-2986, CVE-2009-2987, CVE-2009-2988, CVE-2009-2989, CVE-2009-2990, CVE-2009-2991, CVE-2009-2992, CVE-2009-2993, CVE-2009-2994, CVE-2009-2995, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998, CVE-2009-3431, CVE-2009-3458, CVE-2009-3459, CVE-2009-3460, CVE-2009-3461, CVE-2009-3462

- http://blogs.adobe.c...urity_upda.html
October 13, 2009

Edited by AplusWebMaster, 14 October 2009 - 04:14 AM.

[AplusWebMaster]

FYI...

Adobe PDF Reader exploit in the wild
- http://blog.trendmic...promise-in-tow/
Oct. 15, 2009 - "A specially crafted .PDF file, detected by Trend Micro as TROJ_PIDIEF.ASP, was recently found to have infected several Indian, Thai, and New Zealand websites. The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates*. The Trojan belongs to an old but notable malware family known as “ASProx,” which plagued the Web last year. It was so notable that it made its way to Trend Micro’s Top 8 in 2008 list. Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files. The recent reemergence of the ASProx code or the cybercriminals behind it may not have brought anything new to the table but it is noteworthy in that this attack seemingly brought the botnet back from the dead after almost a year of inactivity..."
* http://www.adobe.com.../apsb09-15.html
October 13, 2009