May 21, 2013

You are here: Home / Archives for Adobe

Microsoft and Adobe release patches for Critical vulnerabilities

May 15, 2013 by Leave a Comment

microsoft logo(LiveHacking.Com) – Two of the biggest names in PC software have released patches for a variety of their respective software products to fix critical security related issues. Microsoft has released 10 security bulletins to address 33 vulnerabilities Microsoft Windows, Internet Explorer, .NET Framework, Lync, Office, and Windows Essentials. While Adobe has issued security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

Among the Microsoft patches are two cumulative updates for Internet Explorer. The first (MS13-037) resolves 11 issues in IE that could allow remote code execution if a user visits a specially crafted Web page using the browser. The second (MS13-038) addresses the Internet Explorer 8 remote code execution vulnerability that could affect users if they mistakenly follow a link, in an email or instant message, to a malicious website. This update to IE8 is important as it is the only currently supported version of IE that users of Windows XP can use.

Another interesting patch from Redmond is a security update that resolves an issue in Windows that could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client.

Adobe’s updates include security updates for Adobe Flash Player for Windows, Macintosh, Linux and Android.  These updates address vulnerabilities that could cause a crash or potentially allow an attacker to take control of the affected system. The updates also affect Adobe AIR. All the patches are related to memory corruption issues that could be exploited allow an attacker to execute arbitrary code.

Adobe also updated Adobe Reader and Acrobat for Windows, OS X and Linux. As with the updates to flash, these patches address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. The following versions are affected:  Adobe Reader and Acrobat XI (11.0.02) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.4 and earlier 9.x versions for Linux.

 

Filed Under: Adobe, Microsoft, News, Vulnerability Tagged With: , ,

Microsoft and Adobe release patches to fix critical vulnerabilities

March 13, 2013 by

(LiveHacking.Com) – For March’s Patch Tuesday Microsoft has released seven bulletins, four Critical-class and three Important-class. The bulletins address 20 vulnerabilities in total across several Microsoft products including Windows, Office, Internet Explorer, Server Tools, and Silverlight. Likewise Adobe has released a security update for its popular Flash Player to address vulnerabilities that could potentially allow a hacker to take control of a vulnerable system.

Microsoft

Among the fixes is a patch for an issue in the Kernel-Mode Drivers (KMD) where an attacker could gain administrator privileges by inserting a malicious USB flash drive into a Windows machine. Since the attack works even when no user is currently logged on, it means that anyone with casual access, such as a security guard, office cleaner or anyone with access to office space, could simply plug in a USB flash drive into a PC and perform any action as an administrator. In total MS13-027 resolves three privately reported vulnerabilities correcting the way that a Windows kernel-mode USB drivers handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Nine issues have also been fixed in Internet Explorer. The most severe of these could allow remote code execution if a user views a specially crafted webpage using IE. Upon successful exploit An attacker could gain the same rights as the current owner. All but one of these issues were privately reported to Microsoft and there are no reports of these vulnerabilities being used in the wild.

Microsoft Silverlight has also been patched to fix a vulnerability that could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

Adobe

adobe-logoAdobe has released a security update for Adobe Flash Player for Windows, OS X, Linux and Android. These update addresses vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected Versions

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

The update address four known vulnerabilities  an integer overflow vulnerability that could lead to code execution (CVE-2013-0646), a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650), a memory corruption vulnerability that could lead to code execution (CVE-2013-1371), a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).

As a result of the update, Google has also released a new version of Chrome.

 

Filed Under: Adobe, Intenet Explorer, Microsoft, News, Vulnerability Tagged With: , , , , ,

Microsoft to fix 57 unique vulnerabilities in February’s Patch Tuesday, also updates Flash in IE 10

February 8, 2013 by

microsoft logo(LiveHacking.Com) – Microsoft has published an advanced notification of security patches that it intends to release on Tuesday February 12, 2013. It will  release 12 bulletins, five of which are rated as Critical and seven as Important. These bulletins address 57 unique vulnerabilities in various Microsoft products including Windows, Internet Explorer and Exchange Software, Office, .NET Framework, and Microsoft Server Software.

All five Critical bulletins resolve remote code execution problems while the Important class advisories will address denial of service and elevation of privilege problem along with another less harmful remote code execution vulnerability.

Windows XP is affected by four of the five Critical bulletins, while Windows 8 is affected by only two of them. The common vulnerabilities between the oldest and newest of Microsoft’s current supported operating systems are all connected with Internet Explorer. It seems that Microsoft will patch some holes in IE which can be found in IE 6, 7, 8, 9 and 10. The version of IE 10 in Windows RT is also affected.

The other Critical bulletin will be issued regarding Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010.

IE 10 and Adobe Flash Player

Microsoft has also issued an update for Internet Explorer 10 on Windows 8 to update the built-in version of Adobe Flash Player which Adobe recently updated.  Adobe released security updates for Adobe Flash Player on Windows, OS X, Linux and Android to address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is reporting that at least two of the vulnerabilities addressed are being exploited in the wild. In one targeted attack, users are tricked  into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The other vulnerability is being exploited via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening another Microsoft Word document.

Filed Under: Adobe, Flash Player, Microsoft, News, Vulnerability Tagged With: , , , ,

Adobe releases hotfix for ColdFusion

January 18, 2013 by

adobe-logo(LiveHacking.Com) –  Earlier this month Adobe published a security advisory outlining some Critical vulnerabilities in Adobe ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh, and UNIX. At the time, Adobe promised it would fix the problem and publish patches, which it has now done. The hotfix released by Adobe addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls and potentially allowing the attacker to take control of the affected server. The flaws have been assigned CVE numbers: CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632.

Adobe is reporting that it is aware of reports that the vulnerabilities are being exploited in the wild against ColdFusion customers.

The patches fix the follow vulnerabilities:

  • An authentication bypass vulnerability affecting ColdFusion versions 9.0.2, 9.0.1 and 9.0.0, which could result in an unauthorized user gaining administrative access (CVE-2013-0625).
  • A directory traversal vulnerability affecting ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.0, which could permit an unauthorized user access to restricted directories (CVE-2013-0629).
  • A vulnerability affecting ColdFusion versions 9.0.2, 9.0.1 and 9.0.0, which could result in information disclosure from a compromised server (CVE-2013-0631).
  • An authentication bypass vulnerability affecting ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.0, which could result in an unauthorized user gaining administrative access (CVE-2013-0632).
Filed Under: Adobe, Adobe, News, Vulnerability Tagged With: ,

In Brief: Adobe fixes at least 26 security problems in Adobe Acrobat and Adobe Reader

January 9, 2013 by

pdf_icon(LiveHacking.Com) –  Along with its update to Flash, Adobe has released updates that fix at least 26 security problems in Adobe Acrobat and Adobe Reader. The update for the popular PDF file reader and its companion PDF creator is available for Windows, OS X and Linux.

These update addresses vulnerabilities that could cause a crash and possibly allow an attacker to run arbitrary code on an affect system. Details of the bugs fixed are:

  • Memory corruption vulnerabilities that could lead to code execution (CVE-2012-1530, CVE-2013-0601, CVE-2013-0605, CVE-2013-0616, CVE-2013-0619, CVE-2013-0620, CVE-2013-0623).
  • Use-after-free vulnerability that could lead to code execution (CVE-2013-0602).
  • Heap overflow vulnerabilities that could lead to code execution (CVE-2013-0603, CVE-2013-0604).
  • Stack overflow vulnerabilities that could lead to code execution (CVE-2013-0610, CVE-2013-0626).
  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2013-0606, CVE-2013-0612, CVE-2013-0615, CVE-2013-0617, CVE-2013-0621).
  • Integer overflow vulnerabilities that could lead to code execution (CVE-2013-0609, CVE-2013-0613).
  • Local privilege escalation vulnerability (CVE-2013-0627).
  • Logic error vulnerabilities that could lead to code execution (CVE-2013-0607, CVE-2013-0608, CVE-2013-0611, CVE-2013-0614, CVE-2013-0618).
  • Security bypass vulnerabilities (CVE-2013-0622, CVE-2013-0624).

Affected Versions

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh
Filed Under: Adobe, News, Vulnerability Tagged With: , , ,

Adobe fixes Flash Player and Microsoft patches IE 10 to update its built-in version

January 9, 2013 by

adobe-logo(LiveHacking.Com) – Adobe has released security updates for Adobe Flash Player for Windows, OS X, Linux and Android. These updates address a vulnerability that could cause a crash and potentially allow an attacker to executable arbitrary code on the affected system.

These updates fix a buffer overflow vulnerability in Flash that could lead to code execution.

Affected Versions

  • Adobe Flash Player 11.5.502.135 and earlier versions for Windows
  • Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.258 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.34 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.880 and earlier versions for Windows
  • Adobe AIR 3.5.0.890 and earlier versions for Macintosh
  • Adobe AIR 3.5.0.880 for Android
  • Adobe AIR 3.5.0.880 SDK and Adobe AIR 3.5.0.890 SDK

IE10

Microsoft has also revised Security Advisory 2755801 to include the latest Adobe updates. IE10 comes with a built-in version of Flash (like Chrome). An IE10 update is availbale as a cumulative update, which means customers do not need to install previous updates as a prerequisite for installing the current update.

“We remain committed to working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process,” wrote Dustin Childs from Microsoft’s Trustworthy Computing unit.

Filed Under: Adobe, Microsoft, News Tagged With: , , ,

Adobe to patch Critical flaws in Acrobat and ColdFusion

January 7, 2013 by

adobe-logo(LiveHacking.Com) – Critical vulnerabilities have been found in Adobe Reader, Acrobat and ColdFusion and Adobe is planning to release patches to fix the flaws over the next week. The first to be patched will be Adobe Reader and Acrobat. Adobe plans to release a security update on Tuesday, January 8, 2013 for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux.

The nature of the vulnerabilities in Adobe’s PDF tools is not yet know, however they are ranked as Critical. A Critical vulnerability is one which, if exploited, would allow malicious native-code to execute, potentially without the user’s knowledge.

More is known about the ColdFusion vulnerabilities.  Adobe has identified three flaw affecting ColdFusion for Windows, Macintosh and UNIX:

  • CVE-2013-0625 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.
  • CVE-2013-0629 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user access to restricted directories.
  • CVE-2013-0631 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could result in information disclosure from a compromised server.

Adobe has confirmed that these vulnerabilities are being exploited in the wild but also notes that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled or have no password set.

The company is in the process of finalizing a patch for the vulnerabilities and expects to release a ColdFusion hotfix for versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX on January 15, 2013.

“We are currently evaluating the reports and plan to issue a security advisory as soon as we have determined mitigation guidance for ColdFusion customers and a timeline for a fix,” Adobe’s Wendy Poland said in a post on Adobe’s Product Security Incident Response Team (PSIRT) Blog.

Tuesday, January 8 is also the day that Microsoft will release seven security bulletins to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework.

Filed Under: Adobe, News, Vulnerability Tagged With: , , ,

Adobe hasn’t yet fixed Critical Shockwave vulnerability reported in 2010

December 20, 2012 by

adobe-logo(LiveHacking.Com) – According to three advisories published by US-CERT, Adobe Shockwave has three Critical vulnerability which could allow attackers to remotely execute code on vulnerable machines. At least one of the vulnerabilities was reported to Adobe in 2010 and isn’t scheduled to be fixed until 2013.

US-CERT issued Vulnerability Note VU#519137 warning that Adobe Shockwave Player installs Xtras that are signed by Adobe or Macromedia without prompting, this means that an attacker can target vulnerabilities in older versions of Xtras. When Shockwave needs to use an Xtra it will be downloaded and installed automatically without any user interaction. The problem is that the download location is stored in the Shockwave movie itself. By changing the value of the download location attackers can force a vulnerable older version of the Xtra to be installed.

“By convincing a user to view specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user,” noted US-CERT.

In another issue, US-CERT reported that Adobe Shockwave Player 11.6.8.638 and earlier provide a vulnerable version of the Flash runtime. The included Flash runtime is version 10.2.159.1, which was released on April 15, 2011.This version of Flash contains several exploitable vulnerabilities. Since Shockwave uses its own Flash runtime, the machine is still vulnerable even if a new version of Flash has been installed on the PC.

The third problem is that Adobe Shockwave Player can automatically install a legacy version of its runtime. This can increase the attack surface of systems that have Shockwave installed. Because this is a design feature, attackers can target vulnerabilities in the Shockwave 10 runtime, or any of the Xtras provided by Shockwave 10. The example that US-CERT gives is that the legacy version of Shockwave provides Flash 8.0.34.0, which was released on November 14, 2006 and contains multiple, known vulnerabilities.

“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” an Adobe spokesperson told SecurityWeek. “We are not aware of any active exploits or attacks in the wild using this particular technique.”

Uninstalling the Shockwave Player will remove the vulnerabilities and since it isn’t used that often today you can probably remove it without any impact on your system.  Adobe has an uninstaller.

 

Filed Under: Adobe Tagged With: , ,

Google updates Chrome to fix a Critical vulnerability and update Flash

December 12, 2012 by

(LiveHacking.Com) –  Google has released a new version of Chrome for Windows, Mac and Linux. Chrome 23.0.1271.97 fixes several non-security related bugs along with at least one Critical level security vulnerability. The new version also includes an updated version of Flash following Adobe’s security update.

The Critical level bug is a crash in the history navigation. It was found by Michal Zalewski of the Google Security Team. The other security related bugs, along with the money awarded to the bounty hunter by Google under the Chromium security rewards scheme, are:

  • [$1500] [158204] High CVE-2012-5139: Use-after-free with visibility events. Credit to Chamal de Silva.
  • [$1000] [159429] High CVE-2012-5140: Use-after-free in URL loader. Credit to Chamal de Silva.
  • [160456] Medium CVE-2012-5141: Limit Chromoting client plug-in instantiation. Credit to Google Chrome Security Team (Jüri Aedla).
  • [160926] Medium CVE-2012-5143: Integer overflow in PPAPI image buffers. Credit to Google Chrome Security Team (Cris Neckar).
  • [$2000] [161639] High CVE-2012-5144: Stack corruption in AAC decoding. Credit to pawlkt.

The new version also fixes the following non-security related bugs

  • Some texts in a Website Settings popup are trimmed (Issue: 159156)
  • Linux: <input> selection renders white text on white bg in apps (Issue: 158422)
  • some plugins stopped working (Issue: 159896)
  • Windows 8: Unable to launch system level chrome after self destructing user-level chrome (Issue: 158632)
Filed Under: Adobe, Chrome, News, Vulnerability Tagged With: , , , ,

Adobe releases security updates for Flash Player

December 12, 2012 by

(LiveHacking.Com) –  Adobe has released a set of security updates for its Flash Player. The update applies to the Windows, Linux and OS X operating systems as well as to Android. The updates address vulnerabilities that, if exploited, could cause a crash and allow an attacker to execute arbitrary code.

There are three distinct bugs fixed. The first is a buffer overflow vulnerability, the second an integer overflow vulnerability and the last a memory corruption vulnerability. All three could lead to code execution.

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.251  and earlier versions for Linux
  • Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.600 and earlier versions for Windows and Macintosh, Android and SDK (includes AIR for iOS)

Microsoft has updated IE 10 to include the new version of Flash. Likewise Google has updated Chrome to version 23.0.1271.97.

Filed Under: Adobe, News, Vulnerability Tagged With: ,
«Older Posts