Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: adobe

    Latest Warnings / Time to Patch33 Comments
    5
    Jun 10

    Adobe Warns of Critical Flaw in Flash, Acrobat & Reader

    Adobe Systems Inc. warned late Friday that malicious hackers are exploiting a previously unknown security hole present in current versions of its Adobe Reader, Acrobat and Flash Player software.

    “There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player and Adobe Reader and Acrobat,” the company said in a brief blog post published Friday evening. “This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.”

    Adobe said the vulnerability exists in Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and a component (authplay.dll) of Adobe Reader and Acrobat versions 9.x for Windows, Mac and UNIX operating systems.

    The company notes that the Flash Player 10.1 Release Candidate, available from this link, does not appear to be vulnerable. Adobe also said Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Further, Adobe Reader and Acrobat users can mitigate the threat from this flaw by deleting, renaming or removing access to the “authplay.dll” file that ships with Reader and Acrobat (although users may still experience a non-exploitable crash or error message when opening a PDF that contains Flash content).

    The vulnerable component should be located at these spots for Windows users:

    Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll

    Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll

    Adobe says it is working on an official patch for the problem. Stay tuned for more details.

    Update, June 7, 11:25 a.m. ET: Symantec is reporting that one strain of malware exploiting this vulnerability is something it calls Trojan.Pidief.J, which is a PDF file that drops a backdoor onto the compromised computer if an affected product is installed. Clearly, this is a follow-the-bouncing-malware type of exploit: “Upon analysis of an attack, it is also observed that a malicious [Shockwave Flash] file (detected as Trojan Horse) is used in conjunction with an HTML file (detected as Downloader) to download another malware (detected as Backdoor.Trojan) from the web,” the company said. Symantec notes that while the current attacks against this flaw are targeted and limited, that will likely soon change as more criminal groups start taking advantage of the vulnerability.

    Update, June 8, 12:40 p.m. ET: Adobe said today that it plans to issue a patch for the Flash vulnerability (on 10.x versions of Flash) on Thursday, June 10, for Windows, Linux and Mac. But the software maker said it doesn’t expect to ship an update for Windows, Linux and Mac versions of Adobe Reader and Acrobat until June 29. Adobe also posted steps that Mac and Linux users can take to mitigate any threat from these vulnerabilities, in an updated advisory.

    Latest Warnings / Time to Patch22 Comments
    12
    May 10

    Microsoft, Adobe Push Critical Security Updates

    Microsoft Corp. and Adobe Systems each released security updates on Tuesday. Microsoft issued two “critical” patches that address one security flaw apiece, while Adobe’s patches fix a whole mess of serious vulnerabilities in its software.

    One of the critical updates pushed by Microsoft fixes a flaw in Outlook Express, Windows Mail and Windows Live Mail. On older versions of Windows (Windows XP for example) Outlook Express is installed by default, while Windows Mail and Windows Live Mail generally require users to affirmatively download and install the program.

    The other MS patch addresses a vulnerability in Microsoft Office, but the problem may turn out to be more complex down the road for some users. The trouble is that the vulnerable component, Microsoft Visual Basic for Applications is used not only by Microsoft Office products, but it’s also a component that is potentially installed by many third-party software apps built to work with Windows.

    Continue reading →

    Time to Patch20 Comments
    13
    Apr 10

    Adobe, Microsoft Push Security Upgrades

    Software giants Adobe and Microsoft today each released software updates to fix critical security flaws in their products. In addition, Adobe is rolling out a new auto-updater tool that should make it easier for hundreds of millions of Adobe Reader users to more safely run one of the most frequently attacked software applications.

    Continue reading →

    Time to Patch26 Comments
    23
    Jan 10

    Adobe Ships Critical Shockwave Update

    Last week, Adobe Systems Inc. shipped critical security updates for its PDF Reader software. Now comes an update that fixes at least two critical flaws in Adobe’s Shockwave Player, a commonly installed multimedia player.

    Not sure whether you even have Shockwave Player on your system? You’re not alone. Because of a long history of rebranding between Macromedia and Adobe, the various naming conventions used for this software are extremely confusing. Here’s Adobe’s effort to draw clearer distinctions between the Flash and Shockwave multimedia players:

    Continue reading →

    Latest Warnings17 Comments
    15
    Jan 10

    Exploit in the Wild for New Internet Explorer Flaw

    Less than 24 hours after Microsoft acknowledged the existence of an unpatched, critical flaw in all versions of its Internet Explorer Web browser, computer code that can be used to exploit the flaw has been posted online.

    This was bound to happen, as dozens of researchers were poring over malicious code samples that exploited the flaw, which has generated more interest and buzz than perhaps any other vulnerability in recent memory. The reason? Anti-virus makers and security experts say this was the same flaw and exploit that was used in a series of sophisticated, targeted attacks against Google, Adobe and a slew of other major corporations, in what is being called a massive campaign by Chinese hacking groups to hoover up source code and other proprietary information from these companies.

    Microsoft said it will continue monitoring this situation and take appropriate action to protect its customers, including releasing an out-of-band patch to address the threat. Typically, Microsoft issues patches on the second Tuesday of the month (a.k.a. “Patch Tuesday), but due to the seriousness of this threat and the sheer number of companies that have apparently already been hacked because of it, Microsoft is likely to push out an update before the end of the month. In fact, I would not be surprised to see a fix for this within the next 7 to 10 days.

    In the meantime, Redmond is urging IE users to upgrade to the latest version, IE8, which the company touts as its most secure version of the browser. Still, even IE is still vulnerable, and this is a browse-to-a-nasty-site-and-get-owned kind of vulnerability. As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple‘s Safari for Windows.

    A Little Sunshine / The Coming Storm9 Comments
    14
    Jan 10

    McAfee: Internet Explorer 0day Fueled Attacks on Google, Adobe

    The recent targeted cyber attacks against Google, Adobe and other major companies were fueled in part by a previously unknown — and currently unpatched — security flaw in Microsoft‘s Internet Explorer Web browser, anti-virus vendor McAfee said today.

    McAfee said its investigation revealed that one of the malicous software samples used in the attacks exploited a new, not publicly known vulnerability in IE that is present in all of Microsoft’s most recent operating system releases, including Windows 7.

    Continue reading →

    Time to Patch25 Comments
    13
    Jan 10

    Microsoft, Adobe Issue Security Updates

    Microsoft and Adobe Systems each issued security updates on Tuesday. Redmond released a single patch to plug a flaw that’s not terribly scary, unless you happen to be running  Windows 2000. Adobe’s patch bundle, however, covers at least eight critical security flaws, including one that hackers have been exploiting in targeted attacks of late.

    Continue reading →

    Other / Time to Patch12 Comments
    5
    Jan 10

    Security Tweaks for Adobe Reader

    Adobe is planning to ship an update a week from today that fixes a critical vulnerability in its free and widely used PDF Reader program. Unfortunately, according to experts, criminal hackers are starting to step up attempts to exploit the flaw and install malicious software via poisoned PDFs.

    Continue reading →