Wednesday, January 9, 2013

Adobe Updates:
Flash Player v11.5.502.146,
Reader and Acrobat v11.0.01,
Air v3.5.0.1060

Adobe provided updates on January 7th, 2013 for Reader, Acrobat, AIR and Flash Player. ALL of these updates include security patches. LOTS of security patches!


Adobe Flash Player v11.5.502.146:

Adobe AIR v3.5.0.1060:

Adobe Reader v11.0.01:

Adobe Acrobat v11.0.01:


Adobe Flash Player: 
Visit this web page:

Adobe AIR: 

Visit this web page for instructions:

Adobe Reader: 

Within Reader, choose Help > Check for Updates.

Adobe Acrobat:

Within Acrobat, choose Help > Check for Updates.


Adobe Flash Player v11.5.502.146 and Adobe Air v3.5.0.160, Security Bulletin APSB13-01

Adobe Reader and Acrobat v11.0.01, Security Bulletin APSB13-02

The security bulletin for Flash Player and Air is listed as being only for Flash Player. And yet it's not. (0_o) It's about BOTH. So be sure you update both. Get your act together Adobe!


Adobe Flash Player and AIR:
These updates address a vulnerability that could cause a crash and potentially allow an attacker to take control of the affected system.
Details about this security hole can be found in CVE-2013-0630, which has not yet been detailed as of today. SecurityFocus lists the CVE as a "Remote Buffer Overflow Vulnerability", IOW the usual.

Adobe Reader and Acrobat:
CVE numbers: CVE-2012-1530, CVE-2013-0601, CVE-2013-0602, CVE-2013-0603, CVE-2013-0604, CVE-2013-0605, CVE-2013-0606, CVE-2013-0607, CVE-2013-0608, CVE-2013-0609, CVE-2013-0610, CVE-2013-0611, CVE-2013-0612, CVE-2013-0613, CVE-2013-0614, CVE-2013-0615, CVE-2013-0616, CVE-2013-0617, CVE-2013-0618, CVE-2013-0619, CVE-2013-0620, CVE-2013-0621, CVE-2013-0622, CVE-2013-0623, CVE-2013-0624, CVE-2013-0626, CVE-2013-0627
The total is 27 security holes. Adobe is listing them all as 'Priority 2', which they describe as:
This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for instance, within 30 days).
Again, none of these CVE reports yet offer any details as of today. If you use a search engine and input each CVE number you can find some dirt on them from various sources. Feeling in a magnanimous masochistic mood, I dug up some general descriptions of the CVEs. 

SecurityTracker describes all but the first CVE here:

Adobe Acrobat/Reader Multiple Flaws Lets Remote Users Execute Arbitrary Code and Local Users Gain Elevated Privileges
Description:   Multiple vulnerabilities were reported in Adobe Acrobat/Reader. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A user can bypass security restrictions. 
A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.
The security problems involve the usual memory overflow problems, a "use-after-free" [which is new to me], local errors, elevated privileges and security restriction bypasses. Oh dear. Not pretty.

IOW: There is no indication of Reader or Acrobat settling into safe and secure mode. The security flaws just keep on coming! Avoid both Adobe Reader and Acrobat as much as possible. 

Apple's Preview app is adequate for most reading and annotation purposes, and it hasn't demonstrated any of Adobe's circus of security holes.

There is also a plethora of alternatives to Adobe Acrobat available for Mac. The alternatives include, in no particular order:

Share and Enjoy!

No comments:

Post a Comment