Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Today's Adobe Patches and Vulnerablities - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Today's Adobe Patches and Vulnerablities

It is not easy to keep up with Adobe these days. Patches and new exploits are almost released on a daily schedule. So here is the current "State of Adobe" the way I see it:

Product Latest Version Latest Vulnerabilities
PDF Reader 9.4.0

version 9.4.0 (latest version) is vulnerable
Adobe Reader Unspecified Memory Corruption Vulnerability
Secunia #SA42095, no CVE Number assigned yet

Flash Player 10.1.102.64 version 10.1.85.3 is vulnerable. Patch released today (Nov. 4th)
"Authplay Vulnerability"
CVE-2010-3654
Shockwave Player 11.5.9.615 11.5.9.615 (latest version) is vulnerable
Shockwave Settings" Use-After-Free Vulnerability)
Secunia# SA42112, no CVE Number assigned yet
Acrobat 9.4.0 version 9.4.0 (latest version) is vulnerable
"Authplay Vulnerability"
CVE-2010-3654

 

Air 2.5 version 2.0.3 is vulnerable (old version)

 Please let me know if you have corrections, or better if you find a simple overview about "the state of Adobe bugs" on Adobe's own site. Any Adobe people out there: Feel free to copy the concept :). This table will be "frozen" to today's state and we may update similar, updated tables in the future as a new article.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Johannes

3089 Posts
ISC Handler
Holy moley, this will be helpful! Thanks! :)

I'd encourage Adobe to focus less on pushing partnered content (web browser toolbars or a/v products) with the Adobe product downloads, and instead create a support page that serves the exact purpose as what Johannes has created here.

Also, links to such things as the tests to confirm installation of Flash/Shockwave/Air could be included there, too. Extra points would be awarded if the tests would accurately identify installed version numbers.

In the meantime, thanks again!
Nathan

8 Posts Posts
The FlashPlayer page http://www.adobe.com/software/flash/about/ will show you your installed version and the current versions. The Shockwave player page http://www.adobe.com/shockwave/welcome/ shows your installed version if you hover over the sample, but does not show current versions.
I can't imagine why Adobe hasn't made these pages consistently useful...
Paul

44 Posts Posts
In the newest issue (table's first issue) Adobe provides a workaround for Adobe Reader versions 9.2 and 8.1.7 or later:
http://blogs.adobe.com/psirt/2010/11/potential-issue-in-adobe-reader.html
Additionally, it states that Adobe Acrobat is not affected.
Juha-Matti

5 Posts Posts
We still have https://www.mozilla.com/en-US/plugincheck/ to go to for pluginchecks, for most browsers (IE and Opera tested today).

At the present it still says Flash Player 10.1.85.3 is CURRENT but I hope this is updated shortly.

It finds the "Microsoft Office 2010" plugin, but does not know what it is.
dotBATman

60 Posts Posts
Very useful table.

Maybe another column titled "Update Available" stating "Yes", "ETA dd.Mmm.yy" or "No" would make the table easier to read / script.. :)

I wish we could all agree on one location and format for this table, for all operating systems and applications. That way software authors and users would only need to update / check once.. Utopia!
dotBATman

60 Posts Posts
Latest Flash Player version is 10.1.103.19
Anonymous

Posts
@Juanma
Flash Player version 10.1.102.64 reads as version 10.1 (r102) - at least for the Windows version of Flash Player.
Anonymous

Posts
For those scripting these things there is an updated Flash Uninstaller;
uninstall_flash_player.exe (228 KB) (updated 04.Nov.2010).
http://kb2.adobe.com/cps/141/tn_14157.html?promoid=DTEGO
dotBATman

60 Posts Posts
@Juanma - I am abit worried that you are referring to a version I can't see on Adobe's pages. No offense, but I'm afraid I have to give advice to ISC readers that you should NOT run to Google to search for the 10.1.103.19 version.. ;-)

I'd trust http://www.adobe.com/software/flash/about/
dotBATman

60 Posts Posts
Why does Adobe make it next to impossible to simply download the updated version without installing?
Anonymous

Posts
Why does Adobe make it next to impossible to simply download the updated version without installing?
Anonymous

Posts
@Juanma, Ottmar and dotBATman
I think that 10.1.102.64 is for Firefox, IE, Opera, etc. and 10.1.103.19 is for Google Chrome.
Chris

4 Posts Posts
@eddie, if you request the right to distribute you can download the files.

http://www.adobe.com/products/players/fpsh_distribution1.html

http://www.adobe.com/products/air/runtime_distribution1.html

http://www.adobe.com/products/reader/rdr_distribution1.html

-eddy
Anonymous

Posts
So Adobe has an auto updater for Adobe reader. Why doesn't it also update their other free products that you might have installed, like shockwave and flash??
Anonymous

Posts
@eddie
You can also download manual installers from here:

http://kb2.adobe.com/cps/191/tn_19166.html#main_ManualInstaller

I always just google 'flash troubleshoot'
K-Dee

60 Posts Posts
How is Secunia coping as per this table? Ref earlier poll about which solutions us simpleminded use to keep ahead...
Kelwin

1 Posts Posts
And now Acrobat Reader's vulnerable even before it's been patched...

The end of the world as we know it will start with an emailed invoice encoded as an Acrobat file.
Anonymous

Posts
And now Acrobat Reader's vulnerable even before it's been patched...

The end of the world as we know it will start with an emailed invoice encoded as an Acrobat file.
Anonymous

Posts
@ Chris: You're right. To make things more difficult they have different versions depending on the browser. 10.1.102.64 is the latest for Firefox and 10.1.103.19 is the latest version for Chrome. I didn't know they have different versions for each browser. Sorry if I genrated confusion. Now it's clear.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!