Adobe Security updates for Flash Player (11.2.202.261) and Adobe Reader

[menotu]

Brian Krebs 9 January 2013 (krebsonsecurity)

The Adobe Flash patch fixes at least one critical vulnerability in the media player plugin. Updates are available for all supported versions of Flash, including for Windows, Mac, Linux and Android. See the chart below for the latest version number broken down by operating system.



Finally, Adobe released updates that fix at least 26 security problems in Adobe Acrobat and Adobe Reader. Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux. If you use these products, you’ll want to update them.

https://krebsonsecurity.com/2013/01/adobe-microsoft-ship-critical-security-updates/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

[pinoc]

flash-player dropboxed for 32/64
AdobeReader dropboxed for 32, they don't do a 64bit version

-p.

[menotu]

Please note, this relates to Windows & Mac
==========================
Affected software versions

Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh
Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

heise Security - 14 February 2013,

Adobe recommends workaround for critical holes in Reader

In a new advisory, Adobe has warned of critical zero-day holes in its Reader and Acrobat PDF viewers, which are already being actively exploited in attacks by cyber criminals. The vulnerabilities were detected when security researchers from FireEye examined a PDF file in circulation.

The specially crafted PDF document appears to exploit several security holes to inject malicious code into a system when the document is opened; Adobe's advisory says the two critical vulnerabilities at the core of the problem have been assigned the identifiers CVE-2013-0640 and CVE-2013-0641. The company says that the vulnerabilities affect the current versions of Reader as well as the current versions of Acrobat for Windows and Mac OS X. A patch is already in preparation, but when it will be released is currently unclear.

Users who open a PDF document in the current version of Adobe Reader therefore run the risk of infecting their system with malware. According to Adobe, those who use version XI (11.x) of Acrobat or Reader under Windows can protect themselves by activating the Protected View feature. In Reader, this option can be found by selecting File ➤ Edit ➤ Preferences ➤ Security (Enhanced) and looking for the Protected View options on that page. Enabling this option will result in PDF documents being opened in a sandbox.

http://www.adobe.com/support/security/advisories/apsa13-02.html

http://www.h-online.com/security/news/item/Adobe-recommends-workaround-for-critical-holes-in-Reader-1803516.html

[menotu]

Another patch release coming but Adobe doesn't say precisely when just week beginning 18-Feb
==========================================================

blogs.adobe - 18 Feb 2013

Schedule update to Security Advisory for Adobe Reader and Acrobat (APSA13-02)

We just updated the Security Advisory (APSA13-02) posted on Wednesday, February 13, 2013 to include the planned schedule for a patch to resolve CVE-2013-0640 and CVE-2013-0641. Adobe plans to make available updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux during the week of February 18, 2013.

This posting is provided “AS IS” with no warranties and confers no rights.

http://blogs.adobe.com/psirt/2013/02/schedule-update-to-security-advisory-for-adobe-reader-and-acrobat-apsa13-02.html

[menotu]

And another one................. affects 11.2.202.270 for Linux should update to 11.2.202.273
=======================================================
heise Security - 26 Feb 2013

Emergency Flash update blocks exploit targeted at Firefox

The last update of Flash Player was just two weeks ago and now it's being updated again – this time to block exploits that target the Firefox browser. The new advisory points to three fixes in the update, two involved in blocking the Firefox exploit and one correcting a generally applicable, serious flaw. The problems affect Flash Player on Windows, Mac OS X and Linux, but do not appear to affect Flash on Android.

One of the corrected problems is a permissions problem with the Flash Player Firefox sandbox (CVE-2013-0643). This vulnerability has been being exploited in the wild with another, now fixed, hole in the ExternalInterface ActionScript feature of Flash, which allowed for the execution of arbitrary code (CVE-2013-0648). As is usual with Flash Player exploits, a victim would have to open a page with malicious SWF content in it to be exposed to attacks; Adobe notes the vulnerabilities are being used in a targeted attack which tries to trick the user into clicking a link that sends the user's browser to such a page. A third buffer overflow vulnerability (CVE-2013-0504), discovered by IBM X-Force in the Flash Player broker service, could also be made to execute malicious code.

http://www.h-online.com/security/news/item/Emergency-Flash-update-blocks-exploit-targeted-at-Firefox-1812342.html

--------------------

From the Adobe Advisory

Adobe recommends users update their product installations to the latest versions:

    Users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows and Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.171.

    Users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.273.

    Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux.

    Adobe Flash Player installed with Internet Explorer 10 for Windows 8 will automatically be updated to the latest version of Internet Explorer 10, which will include Adobe Flash Player 11.6.602.171 for Windows.

Affected software versions

    Adobe Flash Player 11.6.602.168 and earlier versions for Windows
    Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh
    Adobe Flash Player 11.2.202.270  and earlier versions for Linux

https://www.adobe.com/support/security/bulletins/apsb13-08.html

Download link

[pinoc]

done,
-p.

[menotu]

Time to start screaming...............
======================

Release date: March 12, 2013

Security updates available for Adobe Flash Player

Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.273 and earlier versions for Linux, Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

    Users of Adobe Flash Player 11.2.202.273 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.275.

https://www.adobe.com/support/security/bulletins/apsb13-09.html

https://get.adobe.com/flashplayer/

[pinoc]

sent to upload queue.
-p.