Adobe Patches Flash Player, Reader

January 15, 2014

Not to be left out of this month’s “Patch Tuesday” festivities, Adobe has released security updates for its Reader, Acrobat, Flash Player, and AIR software.

The Security Bulletin [APSB14-01] for Acrobat and Reader applies only to the Windows and Mac OS X platforms.  Adobe says the affected software versions are:

  • Adobe Reader XI (11.0.05) and earlier 11.x versions for Windows and Macintosh
  • Adobe Reader X (10.1.8) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat XI (11.0.05) and earlier 11.x versions for Windows and Macintosh
  • Adobe Acrobat X (10.1.8) and earlier 10.x versions for Windows and Macintosh

Adobe rates the severity of the vulnerabilities addressed by this bulletin as Critical.  You can obtain the new version using the software’s built-in update mechanism (Help / Check for Updates); alternatively, you can download Reader installation packages for all platforms here.

The Security Bulletin [APSB14-02] for Flash Player and AIR applies to all platforms (Windows, Linux, and Mac OS X).  Affected software versions are:

  • Adobe Flash Player 11.9.900.170 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.332 and earlier versions for Linux
  • Adobe AIR 3.9.0.1380 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.9.0.1380 and earlier versions for Android
  • Adobe AIR 3.9.0.1380 SDK and earlier versions
  • Adobe AIR 3.9.0.1380 SDK & Compiler and earlier versions

(You can check the version of Flash Player installed on your system by visiting Adobe’s About Flash Player page.)  Adobe says this is also a Critical vulnerability.  Users of Google’s Chrome browser, of of Microsoft’s Internet Explorer (Versions 10 and 11) should get the new (bundled) Flash Player automatically.   Others can obtain installation packages for all platforms from Adobe’s Flash Player Download Center.   Please see the Security Bulletin for information on AIR updates.

These Adobe packages have, historically, been popular targets for attackers, because they are widely installed across different platforms.  I recommend that you update you systems as soon as you conveniently can.

Critical Updates for Adobe Reader, Acrobat — and Flash

May 14, 2013

As expected, Adobe has released new versions of its Acrobat and Reader software, incorporating critical security updates.  There is also a critical update for Flash Player, though this was not included in the preview announcement.

The updates for Reader and Acrobat address a total of 27 identified vulnerabilities. According to the Security Bulletin [APSB 13-15], the vulnerable versions of Acrobat and Reader are:

  • Adobe Reader XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Reader X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.4 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Acrobat X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.4 and earlier 9.x versions for Windows and Macintosh

The Security Bulletin lists the appropriate new versions for these. Users of Reader or Acrobat on Windows or Mac OS X can get the new version via the update mechanism built into the software, which is set to check for updates automatically by default; to initiate a check manually, choose Help / Check for Updates from the product menu. Alternatively, you can download appropriate Reader updates from these links:

Please see the Security Bulletin for Acrobat update downloads, and for further details.

As noted above, Adobe has also released Critical updates for Flash Player; according to the Security Bulletin [ASPB 13-14], these fixes address 13 identified vulnerabilities. Affected versions of the software are:

  • Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.280 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.54 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.7.0.1530 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.7.0.1660 and earlier versions for Android
  • Adobe AIR 3.7.0.1530 SDK & Compiler and earlier versions

Users on Windows or Mac OS X systems should received the update automatically, if they have enabled the option “Allow Adobe to install updates”. Otherwise, they can obtain the new version from the Flash Player Download Center, as can Linux users. Please see the Security Bulletin for Android updates. Google Chrome ships with its own version of Flash Player, and I would expect a new version of Chrome, incorporating these updates, to appear “real soon now”. I’ll update this post when it’s available.

Because they are so widely installed across platforms, Reader and Flash Player have been tempting targets for the Bad Guys. I suggest that you update your systems as soon as you conveniently can.

Update Tuesday, 14 May, 13:05 EDT

According to a post on the Chrome Releases blog, Google is now pushing Flash Player updates for the Windows and Mac versions of Chrome.  (Mea culpa: I had forgotten that they had added to capability to update things like Flash without doing a whole new version.)


Adobe Will Update Acrobat, Reader

May 12, 2013

Adobe has released a pre-notification advisory for security updates it plans to release on Tuesday, May 14, for its Acrobat and Reader software.  Adobe describes the vulnerabilities to be addressed by the updates to be critical, and says that the following version of the software are affected.

  • Adobe Reader XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Reader X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.4 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Acrobat X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.4 and earlier 9.x versions for Windows and Macintosh

This advisory will be replaced with Adobe Security Bulletin APSB13-15, once the updates are released.

 


Document Freedom Day 2013

March 27, 2013

The Free Software Foundation Europe [FSFE] has designated today, March 27, as Document Freedom Day [DFD] for 2013, to mark the importance of open standards for the exchange of documents and other information via the Internet.

It is a day for celebrating and raising awareness of Open Standards and formats which takes place on the last Wednesday in March each year. On this day people who believe in fair access to communications technology teach, perform, and demonstrate.

This year’s DFD is being sponsored by Google and openSUSE.

One of the key aims of DFD is to promote the use and promulgation of open standards for documents and other information.  The DFD site gives the FSFE’s definition of an open standard; as the Wikipedia article on the subject suggests. there is a range of definitions from different organizations.  The FSFE’s definition is fairly strict: essentially, it requires that a standard be open to assessment, implementation, and use without restrictions, and that a standard be defined by an open process, not controlled by any single party.  That there is some considerable similarity between the concepts of open standards and open source software is, of course, not a coincidence.

As I have mentioned before, I am a fairly enthusiastic proponent of open source software, and I’m a fan of open standards, too.  As I’ve already mentioned, there are several different definitions of open standards, and I think it is useful to realize that “openness” can be a matter of degree.

The standards for HTML (HyperText Markup Language, the language used to create Web pages), and for the C programming language, would meet most definitions as open standards.  At the other extreme, Microsoft’s original definitions of documents for its Office product were not at all open: undocumented binary formats, entirely under the vendor’s control.  The Portable Document Format [PDF] for text documents was originally defined by Adobe Systems, but the format definition was published; beginning in 1994, with the release of Adobe’s Acrobat 2.0 software, the viewing software (Acrobat Reader, now Adobe Reader) was available free.  (PDF was officially released as an open standard on July 1, 2008, and published by the International Organization for Standardization as ISO 32000-1:2008.)

While, in an ideal world, one might have wished, prior to 2008, to have the PDF specification fully open, the situation was far better than having an entirely closed spec: it was possible to evaluate the PDF definition, and developers other than Adobe were able to develop software to work with PDF files.  (I still use a small, fast program called xpdf to view PDF documents on my Linux PC.  It lacks a good deal of functionality, compared to Adobe’s Reader, which I also use regularly, but it is much faster for routine, “let’s have a look at this” usage.)

I think that the principle of open standards is worth supporting, for the very practical reasons that the FSFE has identified; they enable you to

  • Collaborate and communicate with others, regardless of which software they are using
  • Upgrade or replace your apps and still be able to open and edit your old files
  • Choose which phone / tablet / computer you want to use without worrying about compatibility

These are benefits worth having.


Adobe Releases Patches for Acrobat, Reader

February 20, 2013

As expected, Adobe today released new versions of its Acrobat and Reader software for Windows, Mac OS X, and Linux.  These address two critical security vulnerabilities (one a memory corruption problem, the other a buffer overflow) that, if exploited, might give an attacker control over your system.   According to Adobe’s Security Bulletin [APSB13-07], the following versions of the software are vulnerable:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

There is some evidence that these vulnerabilities are currently being exploited, primarily via  E-mails that attempt to trick the user into opening a malicious PDF document.

Because the updates address a couple of serious vulnerabilities, I suggest that you update your systems as soon as you conveniently can.  For Reader, Windows and Mac OS X users can get the new version via the update mechanism built into the software (Help -> Check for Updates).  Alternatively, you can download update packages from these links:

Linux users can retrieve the new version, via FTP, from this link.

Please check the Security Bulletin for Acrobat update links.


Adobe to Patch Reader, Acrobat

February 18, 2013

Last week, Adobe issued a Security Advisory (APSA13-02) for its Acrobat and Reader software for Windows, Linux, and Mac OS X.  The advisory concerns two newly-discovered security vulnerabilities in the software (CVE numbers are in the Security Advisory).  According to Adobe, the affected versions of the software are:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

There is some evidence that the vulnerabilities are being exploited, principally by E-mails that attempt to trick Windows users into opening a malicious PDF document.

According to a post on the Product Security Incident Response Team (APSIRT) blog, Adobe plans to release  security updates for the affected software this week.  I will post a note here when the patches are available.

In the meantime, those who are using Reader XI and Acrobat XI for Windows can mitigate the risk from these flaws by enabling “Protected View” (see the Security Advisory for details).  In any case, you should always be very wary of opening any E-mail attachments unless you are sure they are legitimate.


Adobe Patches Reader, Acrobat

January 8, 2013

As noted in a preview announcement last week, Adobe has released a Security Bulletin [APSB13-02] for its Reader and Acrobat software.  The bulletin addresses 27 identified security vulnerabilities, and is rated Critical.  According to Adobe, the affected versions of the software are:

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh

For the corresponding new version numbers, please see the Security Bulletin.

Users of Reader on Windows or Mac OS X can get the new version via the update mechanism built into the software, as can Acrobat users.  Alternatively, you can download an update package for Reader for Windows here, and for Mac OS X here.  Linux users can download an installation package  (via FTP) for the new version.  Download links for the new versions of Acrobat are in the Security Bulletin.

I recommend that you update your systems as soon as you conveniently can.


%d bloggers like this: