Tag Archive | Adobe

Patch Tuesday: A Fat One After All! Windows, Adobe Updates Galore!

vulnerability

Microsoft and Adobe have issued their round of updates today, as of 1 PM EST. The below details what was fixed.

First, Microsoft…Five of the 12 patches Microsoft released today earned “critical” acclaim. This means that attackers could exploit such vulnerabilities at any time.

Some of the vulnerabilities include: Windows implementation of Vector Markup Language (VML), Microsoft Exchange, and flaws in the way Windows handles certain media files. The remaining (critical) patch fixes a flaw only on Windows XP systems.

In today’s update, a patch for .NET may be included. This should be installed separately for best results. Install all other updates, and then do the .NET patch. This seems to be the  best plan.

Adobe fixes Flash and Shockwave Players:

APSB13-05 tells about the fixes for CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638 and CVE-2013-0637. The fixes are for Flash Player, AIR and AIR SDK.

APSB13-06 tells about the fixes for CVE-2012-0613 and CVE-2012-0636 in the Shockwave Player.

Here are the new versions:

Flash Player

Windows, 11.6.602.168

Mac, 11.6.602.167

Linux, 11.2.202.270

Android 4.x, 11.1.115.47

Android 2.x-3.x, 11.1.111.43
Adobe AIR

Windows, Mac, & Android, 3.6.0.597
Adobe AIR SDK

Windows, Mac, & Android, 3.6.0.599

Adobe AIR Update Link

Google pushed out today it’s channel update for Chrome for Flash Player.

Adobe’s Patch Tuesday for Acrobat/Reader – ColdFusion Problems

vulnerability

Adobe will release a round of updates on Patch Tuesday (as usual). This month, Patch Tuesday (which involves Microsoft and Adobe, sometimes Oracle) will be on January 8. It’s first updates involve vulnerabilities in Reader and Acrobat products, while the other issues involve ColdFusion vulnerabilities.

“Adobe is aware of reports of security issues in ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX that are being exploited in the wild. We are currently evaluating the reports and plan to issue a security advisory as soon as we have determined mitigation guidance for ColdFusion customers and a timeline for a fix,” said Adobe’s Wendy Poland in an advisory posted January 3.

From the good news side of things, none of these vulnerabilities are being actively exploited in the wild. But, let’s not get too hasty to underestimate threats. Make sure to get patched on Tuesday!

Vulnerabilities in Adobe Reader and Acrobat versions 11.0.0 and earlier are going to be patched next week.

Last month, there were issues in Flash Player and ColdFusion. Looks like these are favorites of hackers as of late.

Protect yourself from vulnerabilities with Kaspersky ONE Security, one good price ($79.95) per year for awesome protection.

Yahoo Flaws Potentially Found by Egyptian Hacker

data leakage

Security experts are investigating an Egyptian hacker who goes by the name “Virus_Hima”, who released screenshots of potential flaws in Yahoo’s website. This has been done before by the hacker, whose intentions may or may not be good.

One of the flaws identified by this hacker included the ability to access a full backup of one of Yahoo’s domains. The other problems included a cross-site scripting (XSS) and SQL injection vulnerability, according to a PasteBin.com post “Yahoo data leak by Virus_Hima“.

Some of his previous work included Adobe, where he released a batch of more than 200 email addresses obtained from a database belonging to them. Adobe shut down Connectusers.com as a result, which is the Connect Web conferencing service.

Without his “good intentions”, it appears that he also has shut down the claim that he sold a $700 XSS vulnerability in the black market. He claims to be a former blackhat, and that his intentions are good as a vulnerability researcher. However, he was spotted in his PasteBin.com post to be taking shots at security reporter Brian Krebs, calling his site “Krebsonshitz” when it clearly is “Krebs on Security”. Krebs reported about the hacker back when the XSS vulnerability was being sold.

December Patches are in: Microsoft and Adobe have updates ready for Black Tuesday

vulnerability

Well it’s Patch Tuesday, or what some people call “Black” Tuesday.

Seven security bulletins were released for Microsoft products, which were about 11-12 vulnerabilities at least being patched. Could be more on some systems.

Current bulletins for this round:

  1. MS12-077 Cumulative Security Update for Internet Explorer
  2. MS12-078 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
  3. MS12-079 Vulnerability in Microsoft Word Could Allow Remote Code Execution
  4. MS12-080 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution
  5. MS12-081 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution
  6. MS12-082 Vulnerability in DirectPlay Could Allow Remote Code Execution
  7. MS12-083 Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass

(Key: ImportantCritical)

For the December Adobe Updates…The updates are for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.251 and earlier versions for Linux, Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x, Adobe said.

The three updates fix a buffer overflow vulnerability, integer overflow vulnerability and a memory corruption vulnerability, all three of which could lead to code execution, Adobe also said.

There is also a security hotfix available to fix misc. vulnerabilities in ColdFusion. Get updates for Adobe products at Adobe.com.

Stay protected from vulnerabilities entirely and get $30 off this month for Kaspersky products: Kaspersky E-Store

Apple Fixes QuickTime Vulnerabilities, Adobe Ignores Reader Flaws

Quite a week in the vulnerabilities sector, as Adobe already fixed quite a few flaws in Flash Player and AIR. Now, Apple has fixed nine vulnerabilities in QuickTime. Meanwhile, Adobe has ignored the Reader flaws that are currently pending, and could be exploited soon.

For QuickTime, most of the vulnerabilities were for buffer overflows. QuickTime is Apple’s media playback technology. Only Windows users XP SP2 and Up have to update – Mac OS X was not affected. See the security update from Apple for more information on what was fixed. You can update on QuickTime by visiting http://www.apple.com/QuickTime

As for Adobe Reader…well that’s a long story. Here’s the short version of it… A Moscow-based security firm, Group-IB, has identified a new exploit capable of compromising the security of computers running Adobe X and XI  (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. The vulnerability has an ability to sidestep Adobe Reader’s sandboxing mechanism, in order to exploit the code. Only working on Windows, the exploit requires users to close the web browser for it to work correctly.
Adobe spokespeople state the problem cannot be identified, and therefore there is nothing to fix.

To keep your computer protected from exploits, please see the following:

Critical fix issued for Shockwave Player – Oct. 23, 2012

vulnerability

Adobe has released a critical update for Shockwave Player after several serious vulnerabilities were found.

  • Users of 11.6.7.637 and earlier versions should now update to version 11.6.8.638 – Update Now
  • Updates are available for Windows and Mac systems.
  • There is no active propagation of exploits.
  • Check to see if you have Shockwave Player.
  • Shockwave Player is not the same as Adobe Flash Player, which update October 8.
  • Check release notes.
  • Uncheck the Norton Security Scan, if it shows.
To protect against vulnerabilities, it is best to have a good internet security software, not FREE antivirus! Check here:

$15 OFF Kaspersky Internet Security 2013

September Patch Tuesday 2012 updates

Here’s a small update to yesterday’s Patch Tuesday. Microsoft seemed to have only two critical fixes…

The first patch, MS12-061, applies to Microsoft Visual Studio Team Foundation Server. The other update, MS12-062, fixes a flaw in Microsoft Systems Management Server 2003 and Microsoft System Center Configuration Manager 2007.

Note to system administrators: Microsoft is urging you to test out the following update: KB2661254, which is an update to help mitigate the risks associated with the Flame malware. It won’t be released until October. But, it is available for testing purposes. It is best ot thicken your SSL certifications.

As for Adobe updates… The most important bulletin is APSB12-19 which fixes seven vulnerabilities in Flash Player. More details on that here.

 

%d bloggers like this: