Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Today's Adobe Patches and Vulnerablities - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Today's Adobe Patches and Vulnerablities

It is not easy to keep up with Adobe these days. Patches and new exploits are almost released on a daily schedule. So here is the current "State of Adobe" the way I see it:

Product Latest Version Latest Vulnerabilities
PDF Reader 9.4.0

version 9.4.0 (latest version) is vulnerable
Adobe Reader Unspecified Memory Corruption Vulnerability
Secunia #SA42095, no CVE Number assigned yet
Flash Player 10.1.102.64 version 10.1.85.3 is vulnerable. Patch released today (Nov. 4th)
"Authplay Vulnerability"
CVE-2010-3654
Shockwave Player 11.5.9.615 11.5.9.615 (latest version) is vulnerable
Shockwave Settings" Use-After-Free Vulnerability)
Secunia# SA42112, no CVE Number assigned yet
Acrobat 9.4.0 version 9.4.0 (latest version) is vulnerable
"Authplay Vulnerability"
CVE-2010-3654

 
Air 2.5 version 2.0.3 is vulnerable (old version)

 Please let me know if you have corrections, or better if you find a simple overview about "the state of Adobe bugs" on Adobe's own site. Any Adobe people out there: Feel free to copy the concept :). This table will be "frozen" to today's state and we may update similar, updated tables in the future as a new article.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

 Johannes

3508 Posts
ISC Handler
Reply Subscribe Nov 4th 2010
8 years ago
Holy moley, this will be helpful! Thanks! :)

I'd encourage Adobe to focus less on pushing partnered content (web browser toolbars or a/v products) with the Adobe product downloads, and instead create a support page that serves the exact purpose as what Johannes has created here.

Also, links to such things as the tests to confirm installation of Flash/Shockwave/Air could be included there, too. Extra points would be awarded if the tests would accurately identify installed version numbers.

In the meantime, thanks again!
Nathan

8 Posts
Reply Quote Nov 4th 2010
8 years ago
The FlashPlayer page http://www.adobe.com/software/flash/about/ will show you your installed version and the current versions. The Shockwave player page http://www.adobe.com/shockwave/welcome/ shows your installed version if you hover over the sample, but does not show current versions.
I can't imagine why Adobe hasn't made these pages consistently useful...
 Paul

44 Posts
Reply Quote Nov 5th 2010
8 years ago
In the newest issue (table's first issue) Adobe provides a workaround for Adobe Reader versions 9.2 and 8.1.7 or later:
http://blogs.adobe.com/psirt/2010/11/potential-issue-in-adobe-reader.html
Additionally, it states that Adobe Acrobat is not affected.
 Juha-Matti

5 Posts
Reply Quote Nov 5th 2010
8 years ago
We still have https://www.mozilla.com/en-US/plugincheck/ to go to for pluginchecks, for most browsers (IE and Opera tested today).

At the present it still says Flash Player 10.1.85.3 is CURRENT but I hope this is updated shortly.

It finds the "Microsoft Office 2010" plugin, but does not know what it is.
 dotBATman

63 Posts
Reply Quote Nov 5th 2010
8 years ago
Very useful table.

Maybe another column titled "Update Available" stating "Yes", "ETA dd.Mmm.yy" or "No" would make the table easier to read / script.. :)

I wish we could all agree on one location and format for this table, for all operating systems and applications. That way software authors and users would only need to update / check once.. Utopia!
 dotBATman

63 Posts
Reply Quote Nov 5th 2010
8 years ago
Latest Flash Player version is 10.1.103.19
 dotBATman
5 Posts
Reply Quote Nov 5th 2010
8 years ago
@Juanma
Flash Player version 10.1.102.64 reads as version 10.1 (r102) - at least for the Windows version of Flash Player.
 Anonymous
Reply Quote Nov 5th 2010
8 years ago
For those scripting these things there is an updated Flash Uninstaller;
uninstall_flash_player.exe (228 KB) (updated 04.Nov.2010).
http://kb2.adobe.com/cps/141/tn_14157.html?promoid=DTEGO
 dotBATman

63 Posts
Reply Quote Nov 5th 2010
8 years ago
@Juanma - I am abit worried that you are referring to a version I can't see on Adobe's pages. No offense, but I'm afraid I have to give advice to ISC readers that you should NOT run to Google to search for the 10.1.103.19 version.. ;-)

I'd trust http://www.adobe.com/software/flash/about/
 dotBATman

63 Posts
Reply Quote Nov 5th 2010
8 years ago
Why does Adobe make it next to impossible to simply download the updated version without installing?
 dotBATman
3 Posts
Reply Quote Nov 5th 2010
8 years ago
Why does Adobe make it next to impossible to simply download the updated version without installing?
 dotBATman
3 Posts
Reply Quote Nov 5th 2010
8 years ago
@Juanma, Ottmar and dotBATman
I think that 10.1.102.64 is for Firefox, IE, Opera, etc. and 10.1.103.19 is for Google Chrome.
 Chris

4 Posts
Reply Quote Nov 5th 2010
8 years ago
@eddie, if you request the right to distribute you can download the files.

http://www.adobe.com/products/players/fpsh_distribution1.html

http://www.adobe.com/products/air/runtime_distribution1.html

http://www.adobe.com/products/reader/rdr_distribution1.html

-eddy
 Anonymous
Reply Quote Nov 5th 2010
8 years ago
So Adobe has an auto updater for Adobe reader. Why doesn't it also update their other free products that you might have installed, like shockwave and flash??
 Anonymous
Reply Quote Nov 5th 2010
8 years ago
@eddie
You can also download manual installers from here:

http://kb2.adobe.com/cps/191/tn_19166.html#main_ManualInstaller

I always just google 'flash troubleshoot'
 K-Dee

63 Posts
Reply Quote Nov 5th 2010
8 years ago
How is Secunia coping as per this table? Ref earlier poll about which solutions us simpleminded use to keep ahead...
 Kelwin

1 Posts
Reply Quote Nov 5th 2010
8 years ago
And now Acrobat Reader's vulnerable even before it's been patched...

The end of the world as we know it will start with an emailed invoice encoded as an Acrobat file.
 Kelwin
57 Posts
Reply Quote Nov 6th 2010
8 years ago
And now Acrobat Reader's vulnerable even before it's been patched...

The end of the world as we know it will start with an emailed invoice encoded as an Acrobat file.
 Kelwin
57 Posts
Reply Quote Nov 6th 2010
8 years ago
@ Chris: You're right. To make things more difficult they have different versions depending on the browser. 10.1.102.64 is the latest for Firefox and 10.1.103.19 is the latest version for Chrome. I didn't know they have different versions for each browser. Sorry if I genrated confusion. Now it's clear.
 Kelwin
5 Posts
Reply Quote Nov 8th 2010
8 years ago

Sign Up for Free or Log In to start participating in the conversation!