Adobe has released two security bulletins to address vulnerabilities in Adobe Acrobat, Reader, and Flash Player.
The first bulletin, APSB10-06, is a security update for Adobe Flash Player and Adobe AIR that addresses a critical vulnerability. Exploitation of these vulnerabilities may allow an attacker to make unauthorized cross-domain requests. The bulletin indicates that the update also addresses a potential denial-of-service issue.
The second bulletin, APSB10-07, is a security advisory for Adobe Reader and Acrobat. This advisory indicates that Adobe is planning to release updates for Adobe Reader and Acrobat on February 16, 2010 to address critical security issues.
US-CERT encourages users and administrators to review Adobe Bulletins APSB10-06 and APSB10-07 and apply any necessary updates to help mitigate the risks.
US-CERT will provide additional information as it becomes available.
Tag Archives: Flash
Apple releases patches for OS X security flaws
Filed under Security News
Tagged as 10.5, 10.6, Flash, holes, images, OpenSSL, OS X, patch, security, update
Tagged as 10.5, 10.6, Flash, holes, images, OpenSSL, OS X, patch, security, update
Vulnerabilities in OS X 10.5 and 10.6 were addressed in Apple's first security update of 2010, patching a dozen known security holes in the Mac operating system.
While five of the vulnerabilities were inherent in Apple's own software, the other seven were found in Adobe's Flash Player plug-in, which could lead to remote code execution and other serious issues. Experts say that Flash Player is fast developing a reputation as one of the most popular targets for would-be cyber criminals.
Media functionality was at the heart of the remaining problems as well, as Apple fixed vulnerabilities to maliciously crafted .mp4 audio files, .dng images, and .tiff images. The company's latest round of patches also fixed a months-old vulnerability in OpenSSL, which could have allowed attackers to breach network security and alter protected internet sessions.
PC Magazine security blogger Larry Seltzer questions the timing of the OpenSSL patch, since OpenSSL itself released a fix for the problem "almost immediately" after the discovery of the vulnerability. "It's not clear what took Apple so long," writes Seltzer.
While five of the vulnerabilities were inherent in Apple's own software, the other seven were found in Adobe's Flash Player plug-in, which could lead to remote code execution and other serious issues. Experts say that Flash Player is fast developing a reputation as one of the most popular targets for would-be cyber criminals.
Media functionality was at the heart of the remaining problems as well, as Apple fixed vulnerabilities to maliciously crafted .mp4 audio files, .dng images, and .tiff images. The company's latest round of patches also fixed a months-old vulnerability in OpenSSL, which could have allowed attackers to breach network security and alter protected internet sessions.
PC Magazine security blogger Larry Seltzer questions the timing of the OpenSSL patch, since OpenSSL itself released a fix for the problem "almost immediately" after the discovery of the vulnerability. "It's not clear what took Apple so long," writes Seltzer.
XP users should upgrade their Flash installation ASAP
Filed under Security News
Tagged as adobe, advisory, Flash, flaw, outdated, security, Vulnerabilities
Tagged as adobe, advisory, Flash, flaw, outdated, security, Vulnerabilities
Adobe Flash Player 6, the version of that online graphics framework that came pre-installed with Windows XP, has been found to contain numerous security flaws, according to Microsoft.
The software giant yesterday issued a security advisory, stating that the vulnerabilities could enable "a specially crafted web page" to remotely execute code on machines running Flash Player 6. Ars Technica notes that Adobe stopped providing security updates for the outdated player in 2006.
Microsoft recommended that XP users immediately update their Flash installation to a newer version, describing the vulnerability as "severe." Users of old versions of Flash running on new operating systems were still vulnerable, though less so than XP users. The company said that it was not aware of any live exploits, but warned that the possibility was certainly there.
Older, unpatched versions of most software are much more likely to be vulnerable to spyware or viruses, experts say. Users are encouraged to update their programs, plug-ins, and operating systems as often as possible to stay ahead of the numerous digital threats present online.
The software giant yesterday issued a security advisory, stating that the vulnerabilities could enable "a specially crafted web page" to remotely execute code on machines running Flash Player 6. Ars Technica notes that Adobe stopped providing security updates for the outdated player in 2006.
Microsoft recommended that XP users immediately update their Flash installation to a newer version, describing the vulnerability as "severe." Users of old versions of Flash running on new operating systems were still vulnerable, though less so than XP users. The company said that it was not aware of any live exploits, but warned that the possibility was certainly there.
Older, unpatched versions of most software are much more likely to be vulnerable to spyware or viruses, experts say. Users are encouraged to update their programs, plug-ins, and operating systems as often as possible to stay ahead of the numerous digital threats present online.
Password flaw found in Kingston flash drives
Filed under Security News
Tagged as 25-bit, AES, drive, Flash, issue, Kingston, password, recall, vulnerability
Tagged as 25-bit, AES, drive, Flash, issue, Kingston, password, recall, vulnerability
Software from a German security company has uncovered an issue in the way Kingston's flash drives process passwords, prompting the latter company to issue a recall for the devices late last month.
The Tech Herald reports that certain types of portable flash storage made by Kingston can be accessed without a password, even if encryption is in use on the drive. The German company, SySS, said that it had cracked the 25-bit AES encryption used to authenticate passwords on several of Kingston's popular models, making the devices vulnerable to identity theft.
ZDNet reports that the devices affected by Kingston's recall are the DataTraveler BlackBox, DataTraveler Secure - Privacy Edition, and DataTraveler Elite - Privacy Edition. While some users may have to physically return the devices to the company, Kingston has said that they are working on a firmware update to correct the problem.
Other makers of storage solutions have encountered trouble in recent weeks, with users of Apple's Time Capsule personal backup servers complaining that the devices sometimes fail due to an overheating problem.
The Tech Herald reports that certain types of portable flash storage made by Kingston can be accessed without a password, even if encryption is in use on the drive. The German company, SySS, said that it had cracked the 25-bit AES encryption used to authenticate passwords on several of Kingston's popular models, making the devices vulnerable to identity theft.
ZDNet reports that the devices affected by Kingston's recall are the DataTraveler BlackBox, DataTraveler Secure - Privacy Edition, and DataTraveler Elite - Privacy Edition. While some users may have to physically return the devices to the company, Kingston has said that they are working on a firmware update to correct the problem.
Other makers of storage solutions have encountered trouble in recent weeks, with users of Apple's Time Capsule personal backup servers complaining that the devices sometimes fail due to an overheating problem.
Defense department looking at flash drive, social networking security
The Department of Defense may partially lift a ban on USB flash drives, which had been abolished in November 2008 because of worms and viruses spreading across defense networks from infected USB thumb drives.
Military officials enacted the ban to protect sensitive information from data theft, but the blanket ban on flash drives causes inconveniences for troops using the devices to carry data in the field, CNET News reported.
Robert Carey, chief information officer for the Department of the Navy, posted on the Navy's CIO blog that some uses of flash drives will be permitted, although the department is assessing whether to allow personnel to access social networking sites (SNS).
"The benefits of access to SNS and other user generated content sites are great; however, the risks also must be weighed and factored into decisions," Carey said on the blog.
Flash drives can carry forms of malware that jump to the drives from infected PCs and can spread by downloading from the memory stick onto new computers.
The Conficker worm has spread to potentially millions of PCs jumping from USB flash drives onto machines. Worms also spread rapidly on SNS through hacked accounts.
Military officials enacted the ban to protect sensitive information from data theft, but the blanket ban on flash drives causes inconveniences for troops using the devices to carry data in the field, CNET News reported.
Robert Carey, chief information officer for the Department of the Navy, posted on the Navy's CIO blog that some uses of flash drives will be permitted, although the department is assessing whether to allow personnel to access social networking sites (SNS).
"The benefits of access to SNS and other user generated content sites are great; however, the risks also must be weighed and factored into decisions," Carey said on the blog.
Flash drives can carry forms of malware that jump to the drives from infected PCs and can spread by downloading from the memory stick onto new computers.
The Conficker worm has spread to potentially millions of PCs jumping from USB flash drives onto machines. Worms also spread rapidly on SNS through hacked accounts.
Apple patches Flash security vulnerability in Snow Leopard
Filed under Security News
Tagged as 10.6.1, Apple, Flash, Mac OS X, patch, Snow Leopard, vulnerability
Tagged as 10.6.1, Apple, Flash, Mac OS X, patch, Snow Leopard, vulnerability
Apple updated its Snow Leopard operating system, just released to much fanfare, to patch a security vulnerability in an older version of Adobe Flash Player that had shipped with the OS.
Apple published the update, Mac OS X v10.6.1, to bring Snow Leopard’s version of Flash up to 10.0.32.18, the latest and most secure version. Security researchers had warned that using the older version of Flash left Mac users vulnerable to malware attacks.
"Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted website," Apple said in its security bulletin.
Flash is responsible for running much of the video and animated content on websites.
Users can update to the latest Snow Leopard by visiting the Software Update window, then select the items to install and click Install.
Initial reports from Snow Leopard users indicated that compatibility issues were a problem for some users of HP printers. The Snow Leopard update fixes these compatibility issues and includes fixes for other minor problems, CNET News reported.
Apple published the update, Mac OS X v10.6.1, to bring Snow Leopard’s version of Flash up to 10.0.32.18, the latest and most secure version. Security researchers had warned that using the older version of Flash left Mac users vulnerable to malware attacks.
"Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted website," Apple said in its security bulletin.
Flash is responsible for running much of the video and animated content on websites.
Users can update to the latest Snow Leopard by visiting the Software Update window, then select the items to install and click Install.
Initial reports from Snow Leopard users indicated that compatibility issues were a problem for some users of HP printers. The Snow Leopard update fixes these compatibility issues and includes fixes for other minor problems, CNET News reported.
Firefox 3.5.3, 3.0.14 will detect outdated Flash
Mozilla said on its security blog that the new releases of its popular Firefox web browser will be able to detect if a user has an outdated version of Adobe Flash and will direct users to download the latest version.
Upon updating to Firefox 3.5.3 and Firefox 3.0.14, the browser will direct users with outdated Flash Player to the Adobe download site with a message that reads: "You should update Adobe Flash right now. Firefox is up to date, but your current version of Flash can cause security and stability issues. Please install the free update as soon as possible."
Flash is the software that allows users to see movies and animations in their web browser. As one of the most common applications on websites, Flash Player is vulnerable to hacker attacks and as much as 80 percent of web users currently have an out-of-date version.
"Our intent is to get the user's attention and direct them to the Adobe web site where they can download the most up to date version," wrote Mozilla's Johnathan Nightingale on the Mozilla security blog. "Mozilla will work with other plugin vendors to provide similar checks for their products in the future."
Keeping software and web browsers up to date remains one of the best ways to stay protected from web security threats like malware, spam and identity theft.
Upon updating to Firefox 3.5.3 and Firefox 3.0.14, the browser will direct users with outdated Flash Player to the Adobe download site with a message that reads: "You should update Adobe Flash right now. Firefox is up to date, but your current version of Flash can cause security and stability issues. Please install the free update as soon as possible."
Flash is the software that allows users to see movies and animations in their web browser. As one of the most common applications on websites, Flash Player is vulnerable to hacker attacks and as much as 80 percent of web users currently have an out-of-date version.
"Our intent is to get the user's attention and direct them to the Adobe web site where they can download the most up to date version," wrote Mozilla's Johnathan Nightingale on the Mozilla security blog. "Mozilla will work with other plugin vendors to provide similar checks for their products in the future."
Keeping software and web browsers up to date remains one of the best ways to stay protected from web security threats like malware, spam and identity theft.
Report: Adobe Flash is ‘biggest security hole’ on the web
In the weeks since Adobe released a critical patch for Flash and Acrobat Reader, research from security firm Trusteer shows that almost 80 percent of internet users are still running unpatched versions.
Based on a survey of the company's 2.5 million customers in North America and Europe, Trusteer said the number of vulnerable users represents "the biggest security hole on the internet today and the failure of Adobe to address it in a timely manner is extremely troubling."
Last month, security researchers discovered exploits of a Flash vulnerability that could infect PCs with Trojan malware upon users opening a malicious Adobe Acrobat PDF file, which caused Adobe to rush a security updates for Flash Player, Acrobat and Reader.
According to Adobe, 99 percent of internet users run Flash. By comparison, Internet Explorer is only used by 65 percent of internet users, while Firefox is used by about 30 percent.
"Given these numbers, it is not surprising that criminals are much more focused today on Flash and Acrobat," Trusteer said in an advisory earlier this month.
Security firm Sophos has identified Flash-exploiting malware embedded in Microsoft Excel files and predicted malware authors will use PowerPoint and Word to spread Flash-based attacks.
Based on a survey of the company's 2.5 million customers in North America and Europe, Trusteer said the number of vulnerable users represents "the biggest security hole on the internet today and the failure of Adobe to address it in a timely manner is extremely troubling."
Last month, security researchers discovered exploits of a Flash vulnerability that could infect PCs with Trojan malware upon users opening a malicious Adobe Acrobat PDF file, which caused Adobe to rush a security updates for Flash Player, Acrobat and Reader.
According to Adobe, 99 percent of internet users run Flash. By comparison, Internet Explorer is only used by 65 percent of internet users, while Firefox is used by about 30 percent.
"Given these numbers, it is not surprising that criminals are much more focused today on Flash and Acrobat," Trusteer said in an advisory earlier this month.
Security firm Sophos has identified Flash-exploiting malware embedded in Microsoft Excel files and predicted malware authors will use PowerPoint and Word to spread Flash-based attacks.
Adobe fixes Flash flaws caused by bad Microsoft code
Adobe issued web security patches yesterday for flaws in Flash Player and Shockwave that were caused by vulnerable code in the Microsoft Active Template Library (ATL), a code library included with Visual Studio for developing software.
Adobe said the flaws could allow a remote attacker to take control of a system. Adobe is making updates available for Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX to fix the security bugs. Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows are also affected.
Microsoft earlier this week had patched the critical bugs in Visual Studio, which were related to an errant ampersand (&) in the code. But any software developed using the code remained vulnerable to attacks.
"We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL," Adobe's security response team said on its blog.
Only Internet Explorer plug-ins are vulnerable to the Flash bug, so people using Flash Player within the Firefox browser or other Windows browsers are not vulnerable, Adobe said.
Hackers have actively targeted the Flash security holes using drive-by download or "browse-and-get-owned" attacks hosted on compromised websites.
Adobe said the flaws could allow a remote attacker to take control of a system. Adobe is making updates available for Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX to fix the security bugs. Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows are also affected.
Microsoft earlier this week had patched the critical bugs in Visual Studio, which were related to an errant ampersand (&) in the code. But any software developed using the code remained vulnerable to attacks.
"We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL," Adobe's security response team said on its blog.
Only Internet Explorer plug-ins are vulnerable to the Flash bug, so people using Flash Player within the Firefox browser or other Windows browsers are not vulnerable, Adobe said.
Hackers have actively targeted the Flash security holes using drive-by download or "browse-and-get-owned" attacks hosted on compromised websites.
Security flaw in Adobe Flash exploited by Trojan malware
Security researchers at Symantec have identified a critical vulnerability in Adobe Flash that allows an attacker to infect PCs with Trojan malware upon opening a malicious Adobe Acrobat PDF file. Adobe acknowledged the flaw and said it is working on releasing a fix by July 30.
The Flash vulnerability affects current versions of Flash Player for Windows, Mac and Linux operating systems and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX, Adobe's security response team said on its blog.
Deleting, renaming or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a crash or error message when opening a PDF that contains SWF content, Adobe said.
Symantec warned Wednesday that the Flash bug is serious because of the widespread use of Flash across operating systems and products.
Whereas most vulnerabilities only affect one web browser or software product, Flash exists in all popular browsers and is also available in PDF documents.
"[T]herefore, the threat posed by this issue is not to be taken lightly," Symantec warned on its blog.
The Flash vulnerability affects current versions of Flash Player for Windows, Mac and Linux operating systems and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX, Adobe's security response team said on its blog.
Deleting, renaming or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a crash or error message when opening a PDF that contains SWF content, Adobe said.
Symantec warned Wednesday that the Flash bug is serious because of the widespread use of Flash across operating systems and products.
Whereas most vulnerabilities only affect one web browser or software product, Flash exists in all popular browsers and is also available in PDF documents.
"[T]herefore, the threat posed by this issue is not to be taken lightly," Symantec warned on its blog.