Flash Player Security Bulletin

April 9, 2013

Adobe has released a new Security Bulletin [APSB13-11] for its Flash Player software for all platforms, and for Adobe AIR.  The new patches address four identified security vulnerabilities; Adobe rates the security impact of this bulletin as Critical; these vulnerabilities might allow an attacker to take control of a vulnerable system.  According to Adobe, the affected versions of the software are:

  • Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.275  and earlier versions for Linux
  • Adobe Flash Player 11.1.115.48 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.6090 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.6090 SDK & Compiler and earlier versions

The new version of Flash Player for Windows and Mac OS X is 11.7.700.169; for Linux, it is 11.2.202.280.  Please see the Security Bulletin for information and update information for Android and AIR.  Google will presumably release a new version of its Chrome browser  to include an updated Flash Player.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.

Flash Player has, historically, been an attractive attack target, because it is so widely installed across different platforms. I recommend updating your systems as soon as you conveniently can.


Document Freedom Day 2013

March 27, 2013

The Free Software Foundation Europe [FSFE] has designated today, March 27, as Document Freedom Day [DFD] for 2013, to mark the importance of open standards for the exchange of documents and other information via the Internet.

It is a day for celebrating and raising awareness of Open Standards and formats which takes place on the last Wednesday in March each year. On this day people who believe in fair access to communications technology teach, perform, and demonstrate.

This year’s DFD is being sponsored by Google and openSUSE.

One of the key aims of DFD is to promote the use and promulgation of open standards for documents and other information.  The DFD site gives the FSFE’s definition of an open standard; as the Wikipedia article on the subject suggests. there is a range of definitions from different organizations.  The FSFE’s definition is fairly strict: essentially, it requires that a standard be open to assessment, implementation, and use without restrictions, and that a standard be defined by an open process, not controlled by any single party.  That there is some considerable similarity between the concepts of open standards and open source software is, of course, not a coincidence.

As I have mentioned before, I am a fairly enthusiastic proponent of open source software, and I’m a fan of open standards, too.  As I’ve already mentioned, there are several different definitions of open standards, and I think it is useful to realize that “openness” can be a matter of degree.

The standards for HTML (HyperText Markup Language, the language used to create Web pages), and for the C programming language, would meet most definitions as open standards.  At the other extreme, Microsoft’s original definitions of documents for its Office product were not at all open: undocumented binary formats, entirely under the vendor’s control.  The Portable Document Format [PDF] for text documents was originally defined by Adobe Systems, but the format definition was published; beginning in 1994, with the release of Adobe’s Acrobat 2.0 software, the viewing software (Acrobat Reader, now Adobe Reader) was available free.  (PDF was officially released as an open standard on July 1, 2008, and published by the International Organization for Standardization as ISO 32000-1:2008.)

While, in an ideal world, one might have wished, prior to 2008, to have the PDF specification fully open, the situation was far better than having an entirely closed spec: it was possible to evaluate the PDF definition, and developers other than Adobe were able to develop software to work with PDF files.  (I still use a small, fast program called xpdf to view PDF documents on my Linux PC.  It lacks a good deal of functionality, compared to Adobe’s Reader, which I also use regularly, but it is much faster for routine, “let’s have a look at this” usage.)

I think that the principle of open standards is worth supporting, for the very practical reasons that the FSFE has identified; they enable you to

  • Collaborate and communicate with others, regardless of which software they are using
  • Upgrade or replace your apps and still be able to open and edit your old files
  • Choose which phone / tablet / computer you want to use without worrying about compatibility

These are benefits worth having.


Flash Player Security Update

March 12, 2013

Not wanting, apparently, to be left out of the Patch Tuesday fun, Adobe has released a new Security Bulletin [APSB13-09] for its Flash Player for all platforms.  The updates address four identified security flaws that, if exploited, might lead to a system crash or remote code execution.  (One of these relates to handling of an integer overflow exception; the other three are good old-fashioned memory management errors.)  According to Adobe, the following versions of the software are affected:

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

The new version number for Mac OS X and Windows is 11.6.602.180; for Linux it is 11.2.202.275.  Please see the Security Bulletin for information and update information for Android and AIR.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.

Flash Player has, historically, been an attractive attack target, because it is so widely installed across different platforms. I recommend updating your systems as soon as you conveniently can.


Yet Another Flash Player Patch

February 26, 2013

Today Adobe released another update to its ubiquitous Flash Player for all platforms (Windows, Linux, Mac OS X) to address what it says are critical security vulnerabilities. The update addresses two identified vulnerabilities (CVE-2013-0643 and CVE-2013-0648); an attacker who exploited these vulnerabilities might cause a system crash, or be able to take control of the affected system.

According to Adobe’s Security Bulletin [APSB13-08], the following versions of the software are vulnerable:

  • Adobe Flash Player 11.6.602.168 and earlier versions for Windows
  • Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.270  and earlier versions for Linux

For Mac OS X, Linux, or Windows systems, you can check the version of Flash Player that you are using by visiting Adobe’s About Flash Player page.  The new version for Mac OS X and Windows is 11.6.602.171; for Linux, the new version is 11.2.202.273.  (Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.)   The Flash Player bundled with Google Chrome will be automatically updated to version 11.6.602.171.

There are reports that these vulnerabilities are being actively exploited, primarily in attacks against the Firefox browser running on Windows systems.  The exploit attempts to trick the user into visiting a Web site with malicious Flash content.  Because of this, and because Flash Player has always been an attractive target for the Bad Guys, I recommend that you  update your systems as soon as you conveniently can.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.

Ars Technica has a brief article on this update, which is the third for Flash Player this month.


Adobe Releases Patches for Acrobat, Reader

February 20, 2013

As expected, Adobe today released new versions of its Acrobat and Reader software for Windows, Mac OS X, and Linux.  These address two critical security vulnerabilities (one a memory corruption problem, the other a buffer overflow) that, if exploited, might give an attacker control over your system.   According to Adobe’s Security Bulletin [APSB13-07], the following versions of the software are vulnerable:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

There is some evidence that these vulnerabilities are currently being exploited, primarily via  E-mails that attempt to trick the user into opening a malicious PDF document.

Because the updates address a couple of serious vulnerabilities, I suggest that you update your systems as soon as you conveniently can.  For Reader, Windows and Mac OS X users can get the new version via the update mechanism built into the software (Help -> Check for Updates).  Alternatively, you can download update packages from these links:

Linux users can retrieve the new version, via FTP, from this link.

Please check the Security Bulletin for Acrobat update links.


Adobe to Patch Reader, Acrobat

February 18, 2013

Last week, Adobe issued a Security Advisory (APSA13-02) for its Acrobat and Reader software for Windows, Linux, and Mac OS X.  The advisory concerns two newly-discovered security vulnerabilities in the software (CVE numbers are in the Security Advisory).  According to Adobe, the affected versions of the software are:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

There is some evidence that the vulnerabilities are being exploited, principally by E-mails that attempt to trick Windows users into opening a malicious PDF document.

According to a post on the Product Security Incident Response Team (APSIRT) blog, Adobe plans to release  security updates for the affected software this week.  I will post a note here when the patches are available.

In the meantime, those who are using Reader XI and Acrobat XI for Windows can mitigate the risk from these flaws by enabling “Protected View” (see the Security Advisory for details).  In any case, you should always be very wary of opening any E-mail attachments unless you are sure they are legitimate.


Another Flash Player Security Update

February 12, 2013

Adobe has once again released new versions of its Flash Player for Windows, Mac OS X, Android, and Linux systems.  According to Adobe’s Security Bulletin [APSB13-05], the updates address 17 identified security vulnerabilities in the software (the Security Bulletin gives the CVE identifiers for these).  An attacker exploiting any of these vulnerabilities could cause a crash, and potentially take control of the target system,

According to Adobe, the following versions of the software are affected:

  • Adobe Flash Player 11.5.502.149 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.262 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.37 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.32 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.1060 and earlier versions
  • Adobe AIR 3.5.0.1060 SDK and earlier versions

For Mac OS X, Linux, or Windows systems, you can check the version of Flash Player that you are using by visiting Adobe’s About Flash Player page.

The new versions are 11.6.602.168 for Windows systems, 11.6.602.167 for Mac systems, and 11.2.202.270 for Linux systems.  (Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.)   The new version number for the Flash Player bundled with Google’s Chrome browser is 11.6.602.167.  Please see the Security Bulletin for information on Android versions.

Flash Player has always been an attractive target for the Bad Guys, because it is so widely installed across platforms.  Although I have not seen any reports of exploits “in the wild”, I do recommend that you update your systems as soon as you conveniently can.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.


%d bloggers like this: