blog trackingRealtime Web Statistics Adobe Archives - Page 4 of 4 - Gregory D. Evans | Worlds No. 1 Security Consultant

Posts Tagged ‘Adobe’

Beware Adobe Software Upgrade Notification – malware attached!

Cybercriminals have widely spammed out a malware attack posing as upgrades for Adobe Acrobat Reader and Adobe X Suite Advanced.Beware Adobe Software Upgrade Notification – malware attached!, Blog, Software, malware, Adobe, Beware, upgrade, Notification, attached

View full post on Naked Security – Sophos

View full post on National Cyber Security

Adobe SSL Certificate Problem (fixed), (Wed, Oct 5th)

Tuesday morning, we received a number of reports from readers indicating that the SSL certificate used for “settings.adobe.com” was out of date. Initially, we had a hard time reproducing the finding. But some of our handlers in Europe were able to see the expired certificate.

The expired certificate was valid from Oct 6th  2009 to Oct 6h 2010. Which is somewhat unusual. Typically, we would expect a certificate that “just expired yesterday” and someone forgot to renew it. In this case, it looked more like someone installed an older certificate instead of the new one.

The correct certificate was pretty much exactly a year old and valid for another year. Everything indicated that the Adobe certificates indeed expire in the first week of October.

In the end, we narrowed the affected geography down to Europe and contacted Adobe. Adobe responded promptly and as of this evening, the problem appears to be fixed. Thanks everybody who helped via twitter narrowing down the affected geography and thanks to the readers reporting this initially.

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Article source: http://isc.sans.edu/diary.html?storyid=11737&rss

View full post on National Cyber Security

Gergory Evans

11.40.6 Adobe Flash Player Multiple Vulnerabilities

CVEs: CVE: CVE-2011-2426,CVE-2011-2427,CVE-2011-2428,CVE-2011-2429,CVE-2011-2430,CVE-2011-2444

Platform: Cross Platform

View full post on @RISK: The Consensus Security Alert

View full post on National Cyber Security

(1) HIGH: Adobe Flash Player Multiple Vulnerabilities

Category: Widely Deployed Software

Affected:

  • Adobe Flash Player for Windows, Macintosh, Linux, and Solaris versions prior to 10.3.183.7
  • Adobe Flash Player for Android prior to 10.3.186.6

View full post on @RISK: The Consensus Security Alert

View full post on National Cyber Security

Gergory Evans

(1) HIGH: Adobe Flash Player Multiple Vulnerabilities

Category: Widely Deployed Software

Affected:

  • Adobe Flash Player for Windows, Macintosh, Linux, and Solaris versions prior to 10.3.183.7
  • Adobe Flash Player for Android prior to 10.3.186.6

View full post on @RISK: The Consensus Security Alert

View full post on National Cyber Security

Adobe Tricks Users into Downloading, Installing Google Chrome

IconIt might be common, but that doesn’t mean I’m not allowed to wail against it – especially since I was not familiar with this particular case. As it turns out, several of Adobe products’ download pages have opt-out checkboxes to also install Google Chrome. This was spyware-like behaviour when Apple did it with Safari and the iPhone Configuration Utility, and it is still spyware-like behaviour when Adobe and Google do it with Chrome.

Since I haven’t downloaded Adobe Flash separately for a while now (Chrome has it included anyway), I hadn’t yet noticed this, but as it turns out, when you go to Flash’ download page, a checkbox is marked which automatically downloads and installs Google Chrome alongside Flash (unless you already have Chrome installed). The checkbox is marked by default, so it’s opt-out instead of opt-in. Further DuckDuckGoing reveals that Adobe Reader X, too, has Chrome bundled with it.

I have no issues with these kinds of bundles – or with Apple using its updater to offer Safari to Windows users – but only if it’s opt-in. In other words, the user should have to specifically select a checkbox – if he doesn’t, no additional spyware should be installed.

You can expect this kind of behaviour from sleazy toolbars and porn sites – but not from Google and Adobe. The only reason I’m highlighting this here as much as I’m doing is because this sleazeball and slimey behaviour needs to stop. Chrome is perfectly capable of getting around on its own (unlike Safari for Windows, which sucks beyond belief), and this only reflects badly upon an otherwise excellent browser.

Google and Adobe, please stop this.

Article source: http://osnews.com/story/25184/Adobe_Tricks_Users_into_Downloading_Installing_Google_Chrome

View full post on National Cyber Security » Spyware/ Cyber Snooping

Adobe Prenotification Security Advisory for Adobe Reader and Acrobat

current activity RSS feed current activity ATOM feed

The US-CERT Current Activity web page is a regularly updated summary
of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.

Last reviewed: September 9, 2011 09:11:32 EDT



Adobe Prenotification Security Advisory for Adobe Reader and Acrobat

added September 9, 2011 at 08:18 am

Adobe has issued a prenotification advisory indicating that it plans to release updates for Adobe Reader and Acrobat to address multiple vulnerabilities. The advisory indicates that updates for Windows and Macintosh will be available on September 13, 2011.

US-CERT encourages users and administrators to review the Adobe Advisory.

US-CERT will provide additional information as it becomes available.

Microsoft Releases Advance Notification for September Security Bulletin

added September 8, 2011 at 02:04 pm

Microsoft has issued a Security Bulletin Advance Notification indicating that its September release will contain five bulletins. These bulletins will have the severity rating of important and will be for Microsoft Windows and Microsoft Office. Release of these bulletins is scheduled for Tuesday, September 13, 2011.

US-CERT will provide additional information as it becomes available.

Fraudulent DigiNotar SSL Certificate

added August 30, 2011 at 08:40 am | updated August 30, 2011 at 11:27 am

US-CERT is aware of public reports of the existence of at least one fraudulent SSL certificate issued by DigiNotar. This fraudulent SSL certificate could be used by an attacker to masquerade as any subdomain of google.com.

Mozilla will be releasing new versions of Firefox for desktop (3.6.21, 6.0.1, 7, 8, and 9) and mobile (6.0.1, 7, 8, and 9). Additional information can be found in the Mozilla Security Blog.

Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List. This change affects all versions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft will be releasing a future update for Windows XP and Windows Server 2003 to address this issue. Additional information can be found in Microsoft Security Advisory 2607712.

Google Chrome users are protected from this attack due to Chrome’s built-in certificate pinning feature. Google also plans to disable the DigiNotar certificate authority. Additional information can be found in the Google Security Blog.

US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risks. US-CERT will provide additional information as it becomes available.

Potential Hurricane Irene Phishing Scams

added August 29, 2011 at 12:05 pm

In the past, US-CERT has received reports of phishing scams and malware campaigns related to topics that are of high-interest to the U.S. Government or news media, such as Hurricane Irene. Users’ systems have been compromised by receiving and accessing phishing emails with subject lines that seem relevant to a high-interest subject and appear to originate from a valid sender. US-CERT reminds users to remain vigilant for potential malicious cyber activity seeking to capitalize on interest in Hurricane Irene. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Irene, even if it appears to originate from a trusted source.

US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:


Cisco Releases Security Advisories

added August 25, 2011 at 12:54 pm

Cisco has released three security advisories to address vulnerabilities affecting the Cisco Unified Communications Manager, the Cisco Unified Presence Server, and the Cisco Intercompany Media Engine. These vulnerabilities may allow an attacker to disclose sensitive information or cause a denial-of-service condition.

US-CERT encourages users and administrators to review the following Cisco security advisories and apply any necessary updates to help mitigate the risks.


Google Releases Chrome 13.0.782.215

added August 23, 2011 at 08:07 am

Google has released Chrome 13.0.782.215 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and update to Chrome 13.0.782.215 to help mitigate the risks.

Mozilla Releases Firefox 6 and 3.6.20

added August 17, 2011 at 07:57 am

The Mozilla Foundation has released Firefox 6 and Firefox 3.6.20 to address multiple vulnerabilities.  These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or obtain sensitive information.

US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories for Firefox 6 and Firefox 3.6.20 and apply any necessary updates to help mitigate the risks.

RIM Releases Security Advisory for BlackBerry Enterprise Server

added August 10, 2011 at 01:22 pm

RIM has released a security advisory to address a vulnerability in the BlackBerry MDS Connection Service and BlackBerry Messaging Agent for the BlackBerry Enterprise Server.  The vulnerability may allow an attacker to execute arbitrary code or gain unauthorized access to the BlackBerry Enterprise Server.

US-CERT encourages users and administrators to review the BlackBerry security advisory KB27244 and apply any necessary updates to help mitigate the risks.

Adobe Releases Security Bulletins for Multiple Products

added August 10, 2011 at 09:59 am

Adobe has released security bulletins to alert users of critical and important vulnerabilities in multiple products. The following products are affected:

  • Adobe Shockwave Player 11.6.0.626 and earlier versions on the Windows and Macintosh operating systems
  • Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris
  • Adobe Flash Player 10.3.185.25 and earlier versions for Android
  • Adobe Flash Media Server 4.0.2 and earlier versions
  • Adobe Flash Media Server 3.5.6 and earlier versions for Windows and Linux
  • Adobe Photoshop CS5 and CS5.1 and earlier for Windows and Macintosh
  • RoboHelp 9.0.1.233 and earlier, RoboHelp 8, RoboHelp Server 9, and RoboHelp Server 8

Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, take control of an affected system, or perform a cross-site scripting attack.

US-CERT encourages users and administrators to review the Adobe security bulletins and apply any necessary updates to help mitigate the risks.

Microsoft Releases August Security Bulletin

added August 4, 2011 at 01:25 pm | updated August 9, 2011 at 02:38 pm

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Office, Microsoft .NET Framework, and Microsoft Developer Tools as part of the Microsoft Security Bulletin Summary for August 2011. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, cause a denial-of-service condition, or disclose sensitive information.

US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied.

Article source: http://www.us-cert.gov/current/index.html#adobe_prenotification_security_advisory_for2

View full post on National Cyber Security

Adobe admits Google engineer responsible for Flash Player bug patches

Adobe last week acknowledged that as many as 80 bugs in Flash Player were reported by a Google security engineer, as it continued to defend its decision not to spell out details of the vulnerabilities.

Google also cited the same number, apparently putting to rest the spat between the engineer, Tavis Ormandy, and Adobe. In a pair of blog posts, Adobe and Google spelled out how the number “400″ that Ormandy had cited ended up being cut by 80%.

“The initial run of the ongoing effort resulted in about 400 unique crash signatures, which were logged as 106 individual security bugs following the initial triage,” said Brad Arkin, Adobe’s senior director of product security and privacy. “As these bugs were resolved, many were identified as duplicates that weren’t caught during the initial triage. In the final analysis, the Flash Player update we shipped earlier this week contains about 80 code changes to fix these bugs.”

Google’s blog post, which was attributed to Chris Evans, Matt Moore and Ormandy, all members of the company’s security team, used almost-identical language to describe the bug count culling. In the post, Google also said it had devoted 2,000 CPU cores over a four week period to the massive “fuzzing” project directed at Flash.

Last week, Ormandy had questioned not only the bug total, but Adobe’s decision not to list each of the vulnerabilities in the security bulletin that accompanied the update.

“To us, the joint projects we do with partners, including Google, are extensions of our internal security review and code hardening,” said Arkin.

Because it does not consider those flaws publicly known, Adobe does not assign them a CVE (Common Vulnerabilities and Exposures) designation, Arkin said. When it issued the Flash Player update and security bulletin, it listed just 13 CVEs. On Friday it added one more to account for those reported by Ormandy and Google.

“This update resolves multiple memory corruption vulnerabilities that could lead to code execution,” Adobe stated in the new entry for CVE-2011-2424.

Normally, Adobe doesn’t reveal a number associated with vulnerabilities it or its partners have found, and that have been patched. But Arkin acknowledged that it needed to do exactly that this time. “With every release [of Flash Player] we do a lot of code hardening, but because there’s been public discussion, this internal topic has become external,” Arkin said.

Andrew Storms, director of security operations at nCircle Security, put that into plainer words. “They were forced to,” said Storms.

CVEs are used by security researchers to correlate and coordinate publicly disclosed vulnerabilities, said Storms, and by others, including analysts, the media and security professionals within organisations, to gauge how often a product is patched and how the vendor deals with bugs. “If a product has a large number of CVEs, there’s more concern about those managing the development lifecycle of the product,” said Storms.

But since CVEs are assigned differently by different vendors, it’s tricky to use them to compare several products’ security prowess simply by looking at the numbers, Arkin argued.

Google and Mozilla, for instance, assign CVEs for vulnerabilities discovered by internal developers, as does Apple on occasion. Microsoft, like Adobe, does not.

In fact, Arkin credited the Chrome team’s different approach to CVE assignments for last week’s squabble. “We didn’t allocate any CVEs because we viewed this testing as part of the [Secure Product Lifecycle] that spans the joint engineering efforts with the Google Chrome team,” Arkin said in the blog. “This led to some confusion since the Google security team has a different approach to CVE allocation.”

Another reason why Adobe didn’t list each bug, or more specifically each code change that resulted from its analysis of Google’s fuzzing work, is that it simply didn’t have the time or resources.

“It’s incredibly expensive to do that,” said Arkin. “We’d rather drive those resources into making [Flash Player] better.”

Storms understood Adobe’s reluctance to list scores of CVEs. “There’s little value for them to do that because of the negative connotation around a high CVE count,” said Storms.

Article source: http://rss.feedsportal.com/c/270/f/3551/s/176911d2/l/0Lnews0Btechworld0N0Csecurity0C32972430Cadobe0Eadmits0Egoogle0Eengineer0Eresponsible0Efor0Eflash0Eplayer0Ebug0Epatches0C0Dolo0Frss/story01.htm

View full post on National Cyber Security » Computer Hacking

Page 4 of 4«1234

Get The New Book By Gregory Evans

Everyone Is Talking About!

Are You Hacker Proof?
$15.95

Find Out More, Click Here!