McAfee spots Adobe Reader PDF-tracking flaw
McAfee said it has found a vulnerability in Adobe Systems' Reader program that reveals when and where a PDF document is opened.
The issue is not a serious problem and does not allow for remote code execution, wrote McAfee's Haifei Li in a blog post. But McAfee does consider it a security problem and has notified Adobe. It affects every version of Adobe Reader, including the latest version, 11.0.2, Li wrote.
McAfee recently detected some "unusual" PDF samples, Li wrote. McAfee withheld some key details of the vulnerability, but did generally describe it. Read more...
Adobe confirms Windows 8 users vulnerable to active Flash exploits
Microsoft's Windows 8 is vulnerable to attack by exploits that hackers have been aiming at PCs for several weeks, Adobe has confirmed.
Microsoft said it will not patch the bug in Flash Player until what it called "GA," for "general availability." That would be Oct. 26, when Windows 8 hits retail and PCs powered by the new operating system go on sale.
"We will update Flash in Windows 8 via Windows Update as needed," a spokeswoman said in a reply to questions. "The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe." Read more...
Adobe fixes Flash Player for Firefox to stop crashes
Adobe yesterday updated Flash Player to solve a weeks-long problem for users of Mozilla's Firefox browser.
The update, Flash Player 11.3.300.262, was released Thursday and applies only to Firefox on Windows.
Since Adobe shipped an update to Flash Player to 11.3 two weeks ago, users of Firefox, including older editions as well as the current Firefox 13, had reported crashes when trying to access Flash content.
Initial suspicions at Mozilla pointed to Flash Player 11.3's new sandboxed plug-in for Firefox, but yesterday Adobe claimed that there were "different causes" for the crashes, which seemed to be concentrated on Windows Vista and Windows 7 machines. Read more...
Adobe: Photoshop is not a target for attackers
Adobe have responded to the suggestion that they are effectively charging for security updates, saying that they do not believe that "the real-world risk to customers warranted an out-of band release to resolve these issues". On Wednesday, a security bulletin issued by Adobe pointed out security flaws in Photoshop CS5/CS5.5 and Illustrator CS5/CS5.5, but offered only a paid-for upgrade to the very recently released CS6 versions of the applications as a fix for the flaws. Read more...
Adobe preps silent Flash updates for Macs
Adobe last week released a new beta of Flash Player that includes silent updates for Macs.
Adobe first included silent updates for OS X in the Flash Player beta a month ago; the version shipped Friday was tagged as "Beta 3."
Adobe introduced silent updates for Flash Player on Windows in late March. At the time, the company committed to creating the same feature on OS X, but did not set a timetable. Read more...
Adobe to launch new software suite for designers
Adobe is launching the latest version of its software package for designers and Web developers.
Adobe Systems Inc. is set to announce CS6 on Monday at an event in San Francisco. Creative Suite 6 includes Photoshop, Illustrator and other programs aimed at designers.
Unlike previous versions, which came shrink-wrapped in a box, Creative Suite 6 will be available on a monthly subscription basis as part of Adobe's Creative Cloud offering. Subscriptions will start at $50 a month for those who sign up for a year. Subscribers will be able to download programs such as Photoshop, InDesign or Illustrator, store their work online and share files with others. Read more...
Adobe auto-update eases Flash update chore – on Windows only
Adobe has introduced an auto-updater for its Flash software packages that reduces the chore of updating the widely-used application by automating the process for all supported browsers on Windows machines. Previously users had to apply individual updates to Chrome, Firefox and IE add-ons and plug-ins, a process that often went neglected, leaving systems open to attack. Read more...
Developers Are Divided Over Adobe’s Plan to Take Revenue Share For Higher-End Flash Games
Developers are at odds over Adobe’s plan to charge a 9 percent revenue share for higher-end Flash games that make more than $50,000 in revenues.
So today, Adobe announced a new set of features for developers who create very graphics-heavy games with the launch of Flash Player 11.2. It also unveiled a partnership with Unity Technologies, the Sequoia-backed company with a popular gaming engine that powers titles like Mika Mobile’s Battleheart.
This could bump up the overall quality of browser-based games, considering that the new version of Flash has powers to tap into hardware for rendering 3-D graphics. Read more...
Adobe to Linux users: Get Chrome or forget Flash
Adobe today said that it would stop offering direct downloads of Flash Player for Linux, telling users to move to Google's Chrome browser, which bundles Flash with its updates.
Today's demotion of Flash Player on Linux to Chrome-only was the second time in the last three months that Adobe has withdrawn some or all support from a version of the popular media software: In November, Adobe announced it was abandoning development of Flash for mobile browsers, including the new Chrome for Android .
In a roadmap for Flash Player (download PDF), Adobe unveiled its plans through 2012 and into 2013.
The last version of a separate Flash Player for Linux, 11.2, will be released this quarter, Adobe announced in the roadmap document. After that, Linux users who require browser-based Flash must switch to Chrome, Google's three-year-old browser. Read more...
Adobe confirms new zero-day Flash bug
Adobe on Wednesday patched seven critical vulnerabilities in Flash Player, including one reported by Google researchers that hackers are using in "active targeted attacks." The bug attackers have been exploiting is a cross-site scripting (XSS) flaw in the Flash Player plug-in used by Microsoft's Internet Explorer (IE).
"This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or Web mail provider, if the user visits a malicious website," read the Adobe security advisory that accompanied yesterday's Flash update. "There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message." Read more...
Adobe launches sandboxed Flash Player for Firefox, hopes for fewer exploits
Adobe has released a beta version of Flash Player for Firefox, which has better protection against vulnerability exploits because of a new sandboxed architecture.
"The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach," said Peleus Uhley, platform security strategist at Adobe, in a blog post on Monday. "Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities."
In secure software development, sandboxing refers to the practice of isolating a process from the operating system in order to minimize the fallout of a potential exploit. This type of technology has gained popularity in recent years, primarily because of its use in Google Chrome, a browser that has never experienced a successful remote code execution attack so far. Read more...
Espionage network exploiting Adobe Reader flaw
Adobe warned users of its Reader software earlier this week that hackers were using a critical vulnerability in the program to enable "limited, targeted attacks." Today security firm Symantec provided details of the compromise, which appear to have been well-funded efforts aimed at stealing secrets from specific industries and government agencies in the United States and United Kingdom.
The attacks used crafted emails designed to look like personal communications to specific managers or executives at the targeted organization, the company states in its brief analysis. Once the PDF attachment is opened, a Trojan -- dubbed "Sykipot" by Symantec -- infects the system using the vulnerability. Once a system is compromised, it communicates with a network of command-and-control servers hosted on at least a dozen and perhaps more than 50 domains. Read more...
Hackers exploit Adobe Reader zero-day, may be targeting defense contractors
Adobe today confirmed that an unpatched, or zero-day, vulnerability in Adobe Reader is being exploited by criminals.
Those attacks may have been aimed at defense contractors.
Adobe promised to patch the bug in the Windows edition of Reader and Acrobat 9 no later than the end of next week. Tuesday, Dec. 12 is also Microsoft's regularly-scheduled Patch Tuesday for the month.
The upcoming patch will be Adobe's sixth for Reader and Acrobat this year.
"A critical vulnerability has been [found] in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh," Adobe said in an early-warning email. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system." Read more...
‘Occupy Flash’ movement wants Adobe’s plug-in dead
A small group of website and mobile app developers have kicked off an "Occupy Flash" campaign to put a stake in the heart of Adobe's popular browser plug-in.
The organization, which launched a website earlier this week, said its goal was to "Get the world to uninstall the Flash Player plug-in from their desktop browsers."
And the group didn't mince words why it was after Flash Player.
"Flash Player is dead. Its time has passed. It's buggy. It crashes a lot. It requires constant security updates," said the Occupy Flash site. "It's a fossil, left over from the era of closed standards and unilateral corporate control of Web technology."
Last week, Adobe announced that it was halting development of Flash Player for mobile browsers, but that it would continue work on the plug-in for desktop browsers such as Microsoft's Internet Explorer (IE), Mozilla's Firefox, Google's Chrome and Apple's Safari. Read more...
Adobe Systems launches Flash Player 11 and Air 3
Adobe Systems announced on Wednesday the release of Flash Player 11 and Adobe Air 3 software to help developers build more sophisticated applications, with dozens of new features across smartphones and tablets as well as desktop computers.
The releases are Adobe's biggest in two years and will be available free of charge in early October, said Anup Murarka, Adobe's director of product marketing. The related tools, Flash Builder and Flex, will support new features in Flash Player 11 and Adobe Air 3 by the end of the year.
The releases will enable delivery of 2D and 3D games over the Internet to various devices, Murarka said. Developers of enterprise applications will also find the 3D capabilities popular for data-centric apps. Enterprises, for example, will be able to build application dashboards to "visualize complex data sets" with 3D images, he said. Read more...