Tuesday, December 10, 2013

Adobe Critical Updates:
Flash Player, AIR, Shockwave Player


It's the fourth quarterly, second Tuesday of the month which means… 

It's Adobe Security Update Day!

Adobe is offering three critical security updates:

Adobe Flash Player v11.9.900.170
Adobe AIR v3.9.0.1380
Adobe Shockwave Player v12.0.7.148

Happily, there is no Adobe Acrobat / Adobe Player update required. The current version is

Adobe Security Bulletins are available here:

Security updates available for Adobe Flash Player [and Adobe AIR]
These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331. Adobe Flash Player 11.6 and later provide a mitigation against this attack….

These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2013-5331).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2013-5332).
Security update available for Adobe Shockwave Player
This update addresses a vulnerability that could allow an attacker, who successfully exploits this vulnerability, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player and earlier versions update to Adobe Shockwave Player using the instructions provided in the "Solution" section above.

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2013-5333, CVE-2013-5334).
. . .

Adobe has changed their updating process yet again. Using Adobe's update pages is now simple and logical. Thank you Adobe!

However, Adobe is again preventing users from downloading full installers of the Adobe Flash Player. Instead, all you get is a small installer application that requires access to the Internet in order to download the software components. This of course is entirely contrary to the Mac user experience. It is also annoying and inconvenient. If you have several computers to update, tough luck! If you want to update computers that are not connected to the Internet, tough luck! IOW: Retrograde user-hostility. No thank you Adobe!

I was also annoyed to see the Adobe Flash Player installer phone home to six different Adobe IP addresses during the installation. Six? Seriously? Just to be complicated?

Thankfully, Adobe has not pulled this stunt with the Adobe AIR or Adobe Shockwave Player installers. However, the Adobe AIR installer phones home to four different Adobe IP addresses. Adobe, I thought the ideal was to make installations simpler!


Adobe Customer Accounts Hacked
-> Adobe's Customer Security Alert


On October 3, 2013, Adobe announced that their customer accounts had been hacked:

Adobe Hacked, Data for Millions of Customers Stolen
"Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders," Brad Arkin, Adobe's chief security officer, wrote in a security alert….
Important Customer Security Announcement
At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident….
Adobe now has a Customer Security Alert page that covers what occurred, how to determine if you are affected, what Adobe had done about the situation and what you need to do to protect yourself.

Customer security alert
What do I need to do?
  • If your Adobe ID and password were involved…
  • Changing your password…
  • Other websites…
  • Protect yourself against non-legitimate email “phishing” attempts…
. . .

Adobe is kindly offering both phone and live chat support for those concerned. Please read their 'Customer Security Alert' for details.