Showing posts sorted by relevance for query Adobe AIR. Sort by date Show all posts
Showing posts sorted by relevance for query Adobe AIR. Sort by date Show all posts

Adobe Patches Multiple Security Holes in Adobe Flash Player & AIR (CVE-2012-5274 to 5280)

Posted by Avik Sarkar On 11/09/2012 04:30:00 am

Critical Buffer Overflow, Memory Corruption & Security bypass Vulnerability in Adobe Flash Player & AIR Patched

Adobe- American multinational computer software company has released new versions of its Flash Player to eliminate a number of critical vulnerabilities  in Flash Player that could lead to system crashes or remote attackers controlling computers running compromised software. All the flaws were discovered by members of the Google Security Team are associated with several CVE numbers; CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5280 are buffer overflows, CVE-2012-5279 is a memory corruption issue and CVE-2012-5278 is a security bypass; all of which are listed as potentially allowing an attacker to inject malicious code into the system. Google said it will update Flash Player installed with Google Chrome, and Microsoft will do the same with Internet Explorer 10. In the security bulletin Adobe said that it has released security updates for Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.243 and earlier versions for Linux, Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. 

Adobe recommends users update their product installations to the latest versions:-
  • Users of Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.5.502.110.
  • Users of Adobe Flash Player 11.2.202.243 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.251.
  • Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.2 for Windows, Macintosh and Linux.
  • Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.376.12 for Windows.
  • Users of Adobe Flash Player 11.1.115.20 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.27.
  • Users of Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.24.
  • Users of Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (including AIR for iOS) and Android should update to Adobe AIR 3.5.0.600.

AFFECTED SOFTWARE VERSIONS:- 
  • Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.243 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (includes AIR for iOS) and Android
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system. To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.  To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote. Adobe also recommended its Adobe AIR users to update  to 3.5.0.600.
While talking about security patches in Adobe product, we want to give to reminder that just couple of weeks ago Adobe also plugged buffer overflow vulnerability in its Shockwave Player. Also in late September, Adobe disclosed that it had been attacked and hackers were using a valid Adobe certificate to sign two malicious utilities used most often in targeted attacks. Adobe revoked the certificate Oct. 4.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Adobe Released Security Bulletin to Patch Multiple Vulnerable Products

Posted by Avik Sarkar On 8/12/2011 03:26:00 am

Adobe released a security bulletin to patch their multiple vulnerable products. Here are the list with detail information of those products.
  • APSB11-19 – Security update available for Adobe Shockwave Player (Critical)
  • APSB11-20 – Security update available for Adobe Flash Media Server (Critical)
  • APSB11-21 – Security update available for Adobe Flash Player (Critical)
  • APSB11-22 – Security update available for Adobe Photoshop CS5 (Critical)
  • APSB11-23 – Security updates available for RoboHelp (Important)
Security update available for Adobe Shockwave Player:-
 
Critical vulnerabilities have been identified in Adobe Shockwave Player 11.6.0.626 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
Adobe recommends users of Adobe Shockwave Player 11.6.0.626 and earlier versions update to Adobe Shockwave Player 11.6.1.629.

Security update available for Adobe Flash Media Server :-

A critical vulnerability has been identified in Adobe Flash Media Server (FMS) 4.0.2 and earlier versions, and Adobe Flash Media Server (FMS) 3.5.6 and earlier versions for Windows and Linux.
This vulnerability could allow an attacker, who successfully exploits the vulnerability, to cause a denial of service on the affected system. Adobe has provided an update to address the reported vulnerability and recommends that users update their installations to Flash Media Server 4.0.3 or 3.5.7 respectively.

Security update available for Adobe Flash Player :-

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.25 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.183.5. Users of Adobe Flash Player for Android 10.3.185.25 and earlier versions should update to Adobe Flash Player for Android 10.3.186.3. Users of Adobe AIR 2.7 for Windows and Macintosh, should update to 2.7.1 and users of AIR 2.7 for Android should update to Adobe AIR 2.7.1.1961.

Security update available for Adobe Photoshop CS5 :-

A critical vulnerability has been identified in Photoshop CS5 and CS5.1 (12.0 and 12.1) and earlier for Windows and Macintosh that could allow an attacker who successfully exploits this vulnerability to take control of the affected system. To successfully exploit this vulnerability, an attacker would have to convince a user to open a malicious .GIF file in Photoshop CS5.

Security updates available for RoboHelp :-

An important vulnerability has been identified in RoboHelp 9 (versions 9.0.1.232 and earlier), RoboHelp 8, RoboHelp Server 9 and RoboHelp Server 8. A specially crafted URL could be used to create a cross-site scripting attack on RoboHelp installations. 

-News Source (Adobe & Help Security)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Hackers Breached Adobe Server in Order to Compromise Certificate to Sign malware

Posted by Avik Sarkar On 9/29/2012 02:33:00 am

Hackers Breached Adobe Server in Order to Compromise Certificate to Sign malware

Few advanced hackers have managed to break into an internal server at Adobe to compromise a digital certificate that allowed them to create at least two files that appear to be legitimately signed by the software maker, but actually contain malware. This security breach took place on Thursday and the software giant Adobe confirmed that the attackers signed at least two malicious utility programs with the valid Adobe certificate. The company traced the problem to a compromised build server that had the ability to get code approved from the company’s code-signing system. As a result of the breach, which appears to date back to early July, Adobe on Oct. 4 expects to revoke the compromised certificate that was used to sign the malicious files. According to Brad Arkin, senior director of product security and privacy for Adobe “This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh,” 

Arkin wrote. “The revocation does not impact any other Adobe software for Macintosh or other platforms.” The company uncovered the breach after coming across two malicious "utilities" that appeared to be digitally signed with a valid Adobe cert. It is unclear how or whether those files were used in the wild to target anyone. "Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise," Arkin wrote

In another blog posted by Arkin, he said that, generally speaking, most Adobe users won't be affected"Is your Adobe software vulnerable because of this issue?" he wrote. "No". This issue has no impact on the security of your genuine Adobe software. Are there other security risks to you? We have strong reason to believe that this issue does not present a general security risk. The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware."
The "build" server that was compromised was not configured according to Adobe's corporate standards, but that shortfall wasn't caught during the provisioning process, Arkin said. He added that the affected server did not provide the adversaries with access to any source code for other products, such as the popular Flash Player and Adobe Reader and Acrobat software. 
Here we would like to give you reminder that in the last few months we have been a slew of attacks against the following sites: Guild Wars 2GamigoBlizzardYahooLinkedIneHarmonyFormspringAndroid ForumsGamigo,  Nvidia,Blizzard and  Philips. And after this breach Adobe also enlisted its name among those who was fallen victim to cyber criminals in this year. For all the latest on cyber security and hacking related stories; stay tuned with VOGH

UPDATE: Recently we got an update, where Adobe denies the breach. In their later press release an Adobe spokeswoman said the certificate was not actually stolen: "Adobe has stringent security measures in place to protect its code signing infrastructure. The private keys associated with the Adobe code signing certificates were stored in Hardware Security Modules (HSMs) kept in physically secure facilities. We confirmed that the private key associated with the Adobe code signing certificate was not extracted from the HSM."


-Source (Adobe, SC Magazine, WIRED)





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Adobe Confirms Data Breach, Hacker Leaked More Than 150,000 Customer Details

Posted by Avik Sarkar On 11/21/2012 01:17:00 am

Adobe Confirms Data Breach, Hacker Leaked More Than 150,000 Customer Details 

Yet again Adobe, the American multinational computer software company had fallen victim of cyber attack. In September Adobe faced what it called a sophisticated cyber attack where hackers have breached Adobe server in order to compromise certificate to sign malware. As a move Adobe revoked those certificates on October 4th. After that massacre, here again one of Adobe's databases has been breached by a hacker and that it has temporarily taken offline the affected Connectusers.com website. The attacker who claimed responsibility for the attack, told that he used a SQL injection exploit in the breach. Adobe confirmed the breach and said that the hacker indeed managed to break into an Adobe server and copy the private credentials of approximately 150,000 users – including their names, email addresses and password hashes. Those affected accounts include Adobe customers, Adobe employees and partners along with U.S. military users including U.S. Air Force users, and users from Google, NASA, universities, and other companies. To prove the attack, the intruder, who goes by the name of "ViruS_HimA" and claims to be from Egypt, has released extracts from his haul on the Pastebin text hosting service. 
"It was an SQL Injection vulnerability -- somehow I was able to dump the database in less requests than normal people do," said ViruS_HimA. Users passwords for the Adobe Connect users site were stored and hashed with MD5, says the hacker, which made them "easy to crack" with freely available tools. And Adobe wasn't using WAFs on the servers, the hacker notes. "I just want to be clear that I'm not going against Adobe or any other company. I just want to see the biggest vendors safer than this," he told the press. "Every day we see attacks targeting big companies using Exploits in Adobe, Microsoft, etc. So why don't such companies take the right security procedures to protect them customers and even themselves?"
"Adobe is a very big company but they don't really take care of them security issues, When someone report vulnerability to them, It take 5-7 days for the notification that they've received your report!!" he wrote. "It even takes 3-4 months to patch the vulnerabilities!" 
While talking about such big cyber attacks, here we would like to give you reminder that in the last few months we have been a slew of attacks against the following sites: Guild Wars 2GamigoBlizzardYahooLinkedIneHarmonyFormspringAndroid ForumsGamigo,  Nvidia,BlizzardPhilips, Zynga, VMWare, & so on. For all the latest on cyber security and hacking related stories; stay tuned with VOGH


-Source (Dark Reading, The-H)





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Finally Flash 11 beta 64-bit Support For Linux is Now Available

Posted by Avik Sarkar On 7/16/2011 01:47:00 pm

Adobe has released the first beta of Flash 11, a major update of the rich media browser plug-in. A significant change in this version of Flash is the availability of 64-bit builds for Windows, Linux, and Mac OS X.
The long-overdue delivery of 64-bit support is a major milestone for Adobe. The company first demonstrated an experimental 64-bit Flash plug-in prototype in 2008 and vowed to eventually deliver support for the x64 architecture across all of the major desktop operating systems. The plan had to take a backseat, however, as Adobe's focus shifted to other priorities. Improving Flash's performance and reliability on mobile devices has consumed much of the company's attention over the past year.
Adobe dropped its previous experimental 64-bit Flash plug-in roughly a year ago, citing the need for significant architectural changes. At the time, we joked that Flash's 64-bit support might finally land at about the same time as Duke Nukem Forever. It's sort of funny how that worked out. Unlike Duke's less-than-triumphant return, however, the new 64-bit Flash plugin actually lives up to its promise.
Linux users have typically had to rely on frameworks like nspluginwrapper to use the 32-bit Flash plug-in in a 64-bit browser. Due to native 64-bit support, the new beta version of the Flash plug-in can be used without a shim. We briefly tested it on Ubuntu 11.04 in the Firefox Web browser. In light of Adobe's controversial decision to discontinue Adobe AIR on the Linux platform, it's a bit surprising that it is treating the operating system as a first-class citizen with 64-bit support in Flash 11.

In addition to 64-bit support, the new plug-in also introduces the new Stage3D APIs—Adobe's Molehill project—which provides hardware-accelerated 3D rendering capabilities in the same vein as WebGL. The runtime has also gained improved JSON handling and some technical improvements that make garbage collection less intrusive. Another nice addition is support for H.264 encoding of real-time video streams captured from the user's camera—offering better compression for video chat and other similar kinds of applications.
The plug-in is available for download from Adobe's website in 32-bit and 64-bit flavors. Adobe warns, however, that the beta is still a work in progress and not intended for serious day-to-day use. I didn't encounter any serious problems during my brief test of the plugin.
To see the official Announcement of Adobe Click Here 


-News Source (ARS & Adobe)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Adobe SWF Investigator: A Tool To Analyze Flash Files For Security Researcher & Developers

Posted by Avik Sarkar On 3/07/2012 03:11:00 pm

Adobe SWF Investigator: A Tool To Analyze Flash Files For Security Researcher, Engineers & Developers
Adobe Labs officially announced Adobe SWF Investigator for analyzing Flash files in details. Whether a security expert wants to look into a Flash exploit or a developer wants to debug their own project, the tool collection can be used, among other things, to decompile SWF files in order to then examine the ActionScript source code.

Brief About Adobe SWF Investigator:- 
Adobe® SWF Investigator is the only comprehensive, cross-platform, GUI-based set of tools, which enables quality engineers, developers and security researchers to quickly analyze SWF files to improve the quality and security of their applications. With SWF Investigator, you can perform both static and dynamic analysis of SWF applications with just one toolset. SWF Investigator lets you quickly inspect every aspect of a SWF file from viewing the individual bits all the way through to dynamically interacting with a running SWF.

SWF Investigator Features:-
  • From a static perspective, you can disassemble ActionScript 2 (AS2) and ActionScript 3 (AS3) SWFs, view SWF tags and make binary changes to SWF files. SWF Investigator also lets you view associated information, including local shared objects (LSOs) and per site settings.
  • From a dynamic perspective, you can call functions within the SWF, load the SWF in various contexts, communicate via local connections and send messages to Action Message Format (AMF) endpoints in order to test more effectively.
  • SWF Investigator contains an extensible fuzzer for SWF applications and AMF services, so you can search for common Web application attacks. This toolset also provides a variety of utilities including encoders and decoders for SWF data, as well as a basic compiler for testing small pieces of ActionScript code.

Additional Benefits:-
  • SWF Investigator is the only application of its kind that's built on Adobe AIR – a versatile runtime that supports ActionScript, the language used to create SWF applications.  This allows for native interaction between the SWF Investigator and the SWF application. Using ActionScript also makes the source code of the tool more intuitive for SWF developers.
  • SWF Investigator has the ability to auto-update, so you don't need to worry about whether or not you have the most current version.
  • Since it's an open source AIR application, SWF Investigator can be modified to fit your environment, and it is cross-platform.

To Download Adobe SWF Investigator Preview Version Click Here

-Source (Adobe)


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

BlackBerry PlayBook OS v1.07.3312 Updated & Fixed Adobe Flash Vulnerability

Posted by Avik Sarkar On 10/08/2011 04:00:00 pm



A new version of the BlackBerry® Tablet OS is now available to all BlackBerry® PlayBook™ tablet users. BlackBerry Tablet OS v1.07.3312 contains an updated version of Adobe® Flash® Player. This free update can be downloaded over-the-air from your BlackBerry PlayBook tablet.


On September 21st, Adobe issued an update for Adobe Flash Player, as noted in Adobe Security BulletinsAPSB-11-26, which addresses issues that can potentially affect any PC, tablet, or other device with an operating system that supports Adobe Flash. 
While there are no known reports of any BlackBerry PlayBook tablet users being affected by these Adobe Flash issues, we (as always) encourage all BlackBerry PlayBook users to update to the newest version of the BlackBerry Tablet OS. For more information about what these security updates mean to the BlackBerry PlayBook, please see our security advisory.

How to update your BlackBerry PlayBook tablet :-
Existing BlackBerry PlayBook tablet users will automatically receive a software update notification on the BlackBerry PlayBook status ribbon, or they can check for the software update at any time in the settings menu under Software Updates. Users who purchase and activate a BlackBerry PlayBook tablet on or after Thursday October 6th will automatically be updated to 1.07.3312 or later as part of the BlackBerry PlayBook tablet setup process.
For users who are already running BlackBerry PlayBook v1.0.7.2942 or higher, the update to this new version (v1.07.3312) will include only the Adobe Flash update and is expected to take only a few minutes to install.

-News Source (BlackBerry) 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search