boot13Not wanting to be left out of the party next Tuesday, Adobe has announced that they will issue patches for Acrobat and Reader on January 14.
According to the bulletin, “These updates address critical vulnerabilities in the software.“
Category Archives: Adobe
Adobe License Key Email Scam
Adobe recently issued a warning about a new scam email making the rounds. This one appears to contain license information for Adobe products, but is not legitimate and may contain malicious attachments and/or links to malicious web sites. Recently-compromised Adobe systems may have provided recipient addresses for this email.
Flash Player 11.9.900.170 fixes two vulnerabilities
Adobe has released a new version of its ubiquitous Flash Player. Version 11.9.900.170 includes fixes for two security vulnerabilities, as well as some other bug fixes.
As usual, Flash in Internet Explorer 10 on Windows 8.x will be updated separately, by way of Microsoft Update. Google Chrome will also get the new version of Flash via its own internal update mechanism.
Flash 11.9.900.152 released
The latest version of Flash includes several fixes for bugs and security vulnerabilities. The official announcement lists the bug fixes and other improvements, while the associated security bulletin provides additional technical details.
As usual, Flash in Google Chrome is updated automatically through Chrome’s built-in updater, while Flash in Internet Explorer on Windows 8 is updated via Windows Update.
Adobe systems breach
On October 3, 2013, Adobe announced that their network and some of their servers had been breached. Their investigation continues, and the full scope and impact of the breach has yet to be determined.
However, we do know the following:
- The intruders obtained Adobe customer data, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. According to Adobe, “At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.” Adobe reset the passwords for all affected user accounts, and has been sending out alerts to those users. If you have never purchased software from Adobe directly, you should be safe. If you receive an alert from Adobe, follow their instructions to change your password.
- The intruders also obtained source code for at least one product: Acrobat/Reader. Reader is already a popular target for malware perpetrators, and having access to the source code can only make things easier for them. Stay tuned for a fresh new crop of Reader security issues.
Ars Technica has additional details, as does the SANS ISC Diary.
Update 2013Nov02: Ars Technica explains exactly what Adobe did wrong and why we should all be worried about it. Adobe now says that as many as 38 million users were affected by the breach.
Update 2014Oct10: Duo Security reviews the fallout from this breach, and warns of the dangers of password hints.
Patch Tuesday for October 2013
Patches from Microsoft and Adobe were announced today, along with a new version of Flash.
Eight bulletins from Microsoft fix security vulnerabilities in Windows, Internet Explorer, .NET, Office, Windows Server and Silverlight.
The Microsoft Security Research Center as usual provides a more friendly overview of this month’s patches, while the SANS Internet Storm Center provides a wealth of technical details.
Two bulletins from Adobe fix security vulnerabilities in Adobe Reader/Acrobat and Robohelp.
Flash 11.9.900.117 includes a long list of bug fixes. Chrome will be updated silently to match the new version of Flash. An update for Internet Explorer 10 on Windows 8 is also on the way.
Advance patch notifications from Microsoft and Adobe
Next Tuesday, October 8, will see patches from Microsoft (for Internet Explorer, Windows, .NET, Office and Silverlight) and Adobe (for Reader/Acrobat).
Included in the patches from Microsoft will be a fix for the recently-discovered security flaw affecting all versions of Internet Explorer.
Additional details:
Another bug fix for ActiveX version of Flash
Adobe released new versions of Flash for all platforms on September 10. A few days later, they released a new ActiveX version (11.8.800.174) to fix some bugs that were discovered in the previous release.
Today, Adobe released yet another ActiveX version of Flash to fix one more bug. The new version (11.8.800.175) is now available, but only via the Flash auto-updater.
For some unknown reason, Adobe has not posted the new version to the main download page, so anyone trying to update Flash in Internet Explorer by visiting this page will have no luck. According to Adobe, they hope to have version 11.8.800.175 available on the main download page on September 24.
- Official announcement of Flash 11.8.800.175 for ActiveX
- Flash Player archives (11.8.800.175 not listed)
- Flash ‘About’ page (11.8.800.175 is listed here)
- Main download page for Flash (apparently will not install 11.8.800.175)
- Flash 11.8.x release notes (11.8.800.175 not listed)
Flash for Internet Explorer updated
Adobe has released another new version of Flash (11.8.800.174), specifically for web browsers that use the ActiveX version of Flash, which means all versions of Internet Explorer other than IE 10 running on Windows 8.x.
This new version fixes a few small bugs, none of them security-related.
Adobe Reader version 11.0.04 fixes several vulnerabilities
Adobe today released version 11.0.04 of Reader and Acrobat. This version fixes eight critical vulnerabilities and should be installed as soon as possible by anyone who uses the affected software to open PDF documents from untrusted sources.