Adobe Patches Flash Player, Reader

January 15, 2014

Not to be left out of this month’s “Patch Tuesday” festivities, Adobe has released security updates for its Reader, Acrobat, Flash Player, and AIR software.

The Security Bulletin [APSB14-01] for Acrobat and Reader applies only to the Windows and Mac OS X platforms.  Adobe says the affected software versions are:

  • Adobe Reader XI (11.0.05) and earlier 11.x versions for Windows and Macintosh
  • Adobe Reader X (10.1.8) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat XI (11.0.05) and earlier 11.x versions for Windows and Macintosh
  • Adobe Acrobat X (10.1.8) and earlier 10.x versions for Windows and Macintosh

Adobe rates the severity of the vulnerabilities addressed by this bulletin as Critical.  You can obtain the new version using the software’s built-in update mechanism (Help / Check for Updates); alternatively, you can download Reader installation packages for all platforms here.

The Security Bulletin [APSB14-02] for Flash Player and AIR applies to all platforms (Windows, Linux, and Mac OS X).  Affected software versions are:

  • Adobe Flash Player 11.9.900.170 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.332 and earlier versions for Linux
  • Adobe AIR 3.9.0.1380 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.9.0.1380 and earlier versions for Android
  • Adobe AIR 3.9.0.1380 SDK and earlier versions
  • Adobe AIR 3.9.0.1380 SDK & Compiler and earlier versions

(You can check the version of Flash Player installed on your system by visiting Adobe’s About Flash Player page.)  Adobe says this is also a Critical vulnerability.  Users of Google’s Chrome browser, of of Microsoft’s Internet Explorer (Versions 10 and 11) should get the new (bundled) Flash Player automatically.   Others can obtain installation packages for all platforms from Adobe’s Flash Player Download Center.   Please see the Security Bulletin for information on AIR updates.

These Adobe packages have, historically, been popular targets for attackers, because they are widely installed across different platforms.  I recommend that you update you systems as soon as you conveniently can.

Critical Updates for Adobe Reader, Acrobat — and Flash

May 14, 2013

As expected, Adobe has released new versions of its Acrobat and Reader software, incorporating critical security updates.  There is also a critical update for Flash Player, though this was not included in the preview announcement.

The updates for Reader and Acrobat address a total of 27 identified vulnerabilities. According to the Security Bulletin [APSB 13-15], the vulnerable versions of Acrobat and Reader are:

  • Adobe Reader XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Reader X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.4 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Acrobat X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.4 and earlier 9.x versions for Windows and Macintosh

The Security Bulletin lists the appropriate new versions for these. Users of Reader or Acrobat on Windows or Mac OS X can get the new version via the update mechanism built into the software, which is set to check for updates automatically by default; to initiate a check manually, choose Help / Check for Updates from the product menu. Alternatively, you can download appropriate Reader updates from these links:

Please see the Security Bulletin for Acrobat update downloads, and for further details.

As noted above, Adobe has also released Critical updates for Flash Player; according to the Security Bulletin [ASPB 13-14], these fixes address 13 identified vulnerabilities. Affected versions of the software are:

  • Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.280 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.54 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.7.0.1530 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.7.0.1660 and earlier versions for Android
  • Adobe AIR 3.7.0.1530 SDK & Compiler and earlier versions

Users on Windows or Mac OS X systems should received the update automatically, if they have enabled the option “Allow Adobe to install updates”. Otherwise, they can obtain the new version from the Flash Player Download Center, as can Linux users. Please see the Security Bulletin for Android updates. Google Chrome ships with its own version of Flash Player, and I would expect a new version of Chrome, incorporating these updates, to appear “real soon now”. I’ll update this post when it’s available.

Because they are so widely installed across platforms, Reader and Flash Player have been tempting targets for the Bad Guys. I suggest that you update your systems as soon as you conveniently can.

Update Tuesday, 14 May, 13:05 EDT

According to a post on the Chrome Releases blog, Google is now pushing Flash Player updates for the Windows and Mac versions of Chrome.  (Mea culpa: I had forgotten that they had added to capability to update things like Flash without doing a whole new version.)


Adobe Will Update Acrobat, Reader

May 12, 2013

Adobe has released a pre-notification advisory for security updates it plans to release on Tuesday, May 14, for its Acrobat and Reader software.  Adobe describes the vulnerabilities to be addressed by the updates to be critical, and says that the following version of the software are affected.

  • Adobe Reader XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Reader X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.4 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Acrobat X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.4 and earlier 9.x versions for Windows and Macintosh

This advisory will be replaced with Adobe Security Bulletin APSB13-15, once the updates are released.

 


Adobe Releases Patches for Acrobat, Reader

February 20, 2013

As expected, Adobe today released new versions of its Acrobat and Reader software for Windows, Mac OS X, and Linux.  These address two critical security vulnerabilities (one a memory corruption problem, the other a buffer overflow) that, if exploited, might give an attacker control over your system.   According to Adobe’s Security Bulletin [APSB13-07], the following versions of the software are vulnerable:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

There is some evidence that these vulnerabilities are currently being exploited, primarily via  E-mails that attempt to trick the user into opening a malicious PDF document.

Because the updates address a couple of serious vulnerabilities, I suggest that you update your systems as soon as you conveniently can.  For Reader, Windows and Mac OS X users can get the new version via the update mechanism built into the software (Help -> Check for Updates).  Alternatively, you can download update packages from these links:

Linux users can retrieve the new version, via FTP, from this link.

Please check the Security Bulletin for Acrobat update links.


Adobe to Patch Reader, Acrobat

February 18, 2013

Last week, Adobe issued a Security Advisory (APSA13-02) for its Acrobat and Reader software for Windows, Linux, and Mac OS X.  The advisory concerns two newly-discovered security vulnerabilities in the software (CVE numbers are in the Security Advisory).  According to Adobe, the affected versions of the software are:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

There is some evidence that the vulnerabilities are being exploited, principally by E-mails that attempt to trick Windows users into opening a malicious PDF document.

According to a post on the Product Security Incident Response Team (APSIRT) blog, Adobe plans to release  security updates for the affected software this week.  I will post a note here when the patches are available.

In the meantime, those who are using Reader XI and Acrobat XI for Windows can mitigate the risk from these flaws by enabling “Protected View” (see the Security Advisory for details).  In any case, you should always be very wary of opening any E-mail attachments unless you are sure they are legitimate.


Adobe Patches Reader, Acrobat

January 8, 2013

As noted in a preview announcement last week, Adobe has released a Security Bulletin [APSB13-02] for its Reader and Acrobat software.  The bulletin addresses 27 identified security vulnerabilities, and is rated Critical.  According to Adobe, the affected versions of the software are:

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh

For the corresponding new version numbers, please see the Security Bulletin.

Users of Reader on Windows or Mac OS X can get the new version via the update mechanism built into the software, as can Acrobat users.  Alternatively, you can download an update package for Reader for Windows here, and for Mac OS X here.  Linux users can download an installation package  (via FTP) for the new version.  Download links for the new versions of Acrobat are in the Security Bulletin.

I recommend that you update your systems as soon as you conveniently can.


Adobe Patch Preview, for Tuesday

January 4, 2013

Next Tuesday, January 8, will be a busy day for system administrators.  In addition to the regularly-scheduled release of security patches from Microsoft, Adobe is also planning to release a batch of security updates.   In a Prenotification Security Advisory [APSB13-02], released yesterday, Adobe says that it will issue patches to fix a variety of Critical vulnerabilities in Acrobat and Adobe Reader.  According to the Advisory, the affected versions of the software are:

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh

In addition to a severity rating, Adobe assigns a priority level to each update; in this case, the Windows versions are rated Priority 1 (the highest) because Adobe thinks that version and platform is most likely to be attacked.  The Reader software, in particular, has been a popular target in the past, because it is so widely installed across different platforms.  So you should try to get these fixes applied promptly.

I will post a note here with any updated information, once the updates are actually available.


%d bloggers like this: