Adobe acknowledges critical security flaw in software...

Similar Messages

• Adobe Read X1 security flaws

  In a recent issue of Computer Active, I noticed that you had released a patch for eight security flaws discovered in Adobe Reader.  I tried to apply this fix via Computer Active's suggested link, but could not.  I have checked Adobe Reader X1 on my computer but the help just says there are no updates.  Could you please advise me where to find the fix in order that I may ensure my system is not at risk.
  Thanks.

  You can get the latest version of Reader for your OS here: Adobe - Adobe Reader download - All versions

• Security Flaw on iPhone???

  Critical iPhone security flaw found
  Fortify Software, a security firm, has uncovered a critical security flaw in the Apple iPhone which could lead to phishing attacks.
  Because the iPhone only displays the first few characters of a URL in its Safari web browser, phishers could easily hide a fraudulent URL at the end of a link without the user even knowing it.
  Even worse, the iPhone connects the browser and the phone in such a way that it may be possible to embed scam telephone numbers into a site to make the phone automatically dial the scam number.
  Let’s hope Apple is working on a fix for this one because that is some scary stuff. Now, if you input addresses yourself and use bookmarks, the chances of being affected by this are relatively minimal. That said, watch out for strange emails and Google results — you can’t always trust that either.
  Anybody read this? Any comments or thoughts??? Valid?

  It's hardly a new flaw since disguising URLs in links has been common practice for some time. However, while the browser does indeed only show a limited number of characters from the URL being opened (more if in landscape mode than portrait) to get to the URL at all the user would either have to enter it manually, or encounter it in an email or web page where the full URL should readily be discovered.
  It seems probable to me that over time, security holes will be found as in all accessible and discoverable devices on the internet. Based on experience with Apple and MacOS, I would have confidence that genuine weaknesses found in the iPhone will benefit from security fixes as expeditiously as possible.

• HP printer software includes old flash player that poses critical security risks

  I would like to use the HP Solution Center for a Photosmart C309a printer but the HP software includes an older flash player (Adobe Flash Player 9.0 r115) that poses critical security risks.  
  HP includes this old flash version at:
  C:\Program Files (x86)\HP\Digital Imaging\help\player\FlashPla.exe
  Is there a way to update this HP program file to a safe version of Flash Player?
  I think this is a generec security issue, but if it helps I run Windows 7 64-bit.

  Hello dghdah,
  Welcome to the HP Forums, I hope you enjoy your experience! To help you get the most out of the HP Forums I would like to direct your attention to the HP Forums Guide First Time Here? Learn How to Post and More.
  I understand you are looking for an updated version of Adobe Flash Player to use with Solution Center. When you install the Solution Center, normally Windows would skip the older version as your OS may have an up to date version. If this is not the case and the older version installed, you would need to update the flash player. Below I have linked you to the Adobe website to complete the update.
  Adobe Flash Player Support Center
  Best wishes,
  R a i n b o w 7000I work on behalf of HP
  Click the “Kudos Thumbs Up" at the bottom of this post to say
  “Thanks” for helping!
  Click “Accept as Solution” if you feel my post solved your issue, it will help others find the solution!

• HT1338 Hi, I'm trying to load Facetime on my MacBook and it says "You are missing a critical security patch. Please use Software Update to install Security Update 2010-005". I've checked and all my software is updated. What do I do?

  Hi, I'm trying to load Facetime on my MacBook and it says "You are missing a critical security patch. Please use Software Update to install Security Update 2010-005". I've checked and all my software is updated. What do I do?

  First off, iOS 5 will not run on Macs.   You need to give us your Mac OS X on your Mac to determine which security update you need.  Go to Apple menu -> About This Mac.     And then read the link here:
  http://support.apple.com/kb/HT1222

• Acrobat 9.2.0 Update Breaks Text Box Tool, Possibly Introduces a New Security Flaw.

  Anyone have any ideas for this one?
  Once we upgraded to version 9.2.0 (This is a major security release that fixes a Javascript security flaw) our text box tool no longer works the way we want it and crashes the program.
  Try this:
  1. Open any PDF document on a  Windows XP SP3 computer with Adobe Acrobat 9.2.0.
  2. Add the 'Text Box Tool'  to the toolbar by right-clicking the toolbar and selecting 'MoreTools' then placing a checkbox next to the 'Text Box Tool'.
  3. Click the 'Text Box Tool' on the toolbar and draw a new textbox anywhere on the PDF document.
  4. Click out of the textbox to cancel typing mode, then single click back on the textbox that you just created.
  5. Right-click the textbox that you created and select 'Properties..."
  6. Under the 'Appearance' tab,
  a. Select Style: No Border
  b. Select Fill Color: No Color
  c. Check the box 'Make Properties Default'
  d. Click OK.
  7. Click the Text Box Tool again, and draw another textbox (Since there is no border you will not see it but you will still be drawing a textbox).
  8. Let go of the mouse when you are done drawing your textbox rectangle and the program will crash at this point.
  Results:
  1. "An internal error occurred." dialog box is displayed.
  2. After clicking ok the following "Microsoft Visual C++ Runtime Library" dialog box is displayed:
  "Runtime Error!
  Program: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
  R6025
  - pure virtual function call
  3. After clicking ok another dialog box is displayed:
  Error signature
  AppName: acrobat.exe AppVer: 9.2.0.124 ModName: acrobat.dll Offset: 000509dd
  4. The same error has occurred on all five computers that we tested the new version on.
  Expected results: A new textbox is created and you may start typing in text (This was the behavior in version 9.1.3).
  Additional Information
  At times, we need to add information to PDF files (i.e missing dates, etc). We have always used the Text Box Tool to do this with no border, and with no fill color as this is the EASIEST and FASTEST way to add information to PDF files in a precise manner. We want the fill color to be transparent so that we can fit text in between and exactly on lines easier, and so that there is not a solid background box behind the text. We want no border because a border around text that needs to go on a line looks stupid. Up until version 9.2 this procedure worked fine. Now, the program will crash. Perhaps this even adds another security vulnerability if the crash could be exploited. We want to maintain security by patching Adobe to address the JavaScript vulnerability that was addressed in version 9.2.0, however, we are not able to update our users as the new version breaks the fundamental purpose that we use Adobe Acrobat for. We are stuck with the vulnerable version 9.1.3 until this problem is addressed. Disabling JavaScript is not an option either, as we use a Java plug-in on a daily basis.
  Any thoughts would be great, I have attached screenshots of the errors.

  The question still is not answered.
  The problem continues in Acrobat 8.1.7 for Windows, even after updating toAcrobat  8.2.0. ( I can't comment on whether recent updates to Acrobat 9 fix the problem in Acrobat 9.)
  The internal error after text insertion problem occurs even with PDF documents created in Acrobat 8, i.e., not only old versions of PDF files. We have the text box insertion icon in the toolbar, and the properties set to "no color" for the box and "0" width for the text box lines, as other commentators have noted.
  The problem did not exist when Acrobat 8 Pro was installed, it was introduced by one of the updaters.
  The main reason we use Acrobat, rather than much cheaper PDF-creation software, is to annotate PDF files (including inputting data into spaces in standard forms).
  So justify the high price of Acrobat and fix the problem please, Adobe !

• App store blank after restarting Mac during 'Critical Security Update' for 10.9.2

  Hi - this is definitely a self inflicted problem however it took me by suprise, and I wasn't sure if it was an official Apple update or some kind of new virus... I was browsing Safari when the notification came up 'Critical security update' which was weird to me as it didn't look like a standard notification, so I clicked 'later' (or equivalent) but my entire screen faded out to grey and it started updating anyway. So naturally I panicked and force shut down my computer, mainly because it was unlike any update I had encountered. After scouting around online I decided to turn it on again, and everything seems to be working, however my app store is totally blank apart from the main icons (featured, purchases, icons, etc). I now can't update it at all let alone download any new apps. I'd really appreciate any help!

  Hi anto321,
  Thanks for visiting Apple Support Communities.
  If your computer was shut down during an update, I recommend first starting up into Safe Mode:
  Mac OS X: What is Safe Boot, Safe Mode?
  http://support.apple.com/kb/ht1564
  Safe Mode is a way to start up your Mac that performs certain checks and prevents certain software from automatically loading or opening.
  To start up into Safe Mode (to Safe Boot), follow these steps.
  Be sure your Mac is shut down.
  Press the power button.
  Immediately after you hear the startup tone, hold the Shift key.
  The Shift key should be held as soon as possible after the startup tone, but not before the tone.
  Release the Shift key when you see the gray Apple logo and the progress indicator (looks like a spinning gear).
  After the logo appears, you should see a progress bar during startup. This indicates that your computer is performing a directory check as part of Safe Mode.
  To leave Safe Mode, restart your computer without holding any keys during startup.
  Best,
  Jeremy

• Adobe Acrobat 7 Security Bulletin

  http://www.adobe.com/support/security/bulletins/apsb06-20.html
  Critical vulnerabilities have been identified in Adobe Reader and Acrobat 7.0 through 7.0.8 that could although Adobe is not aware of any specific code exploits at this time allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.
  Adobe Reader 7.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0 through 7.0.8 on the Windows platform when using Internet Explorer. Users of other browsers are not affected.
  More information available at the above link.

  If there are form fields, then whoever added them probably used the forms menu, not the Acrobat form fields. Thus the PDF was converted to Designer and you are out of luck. The FORMS button found in various places in Acrobat 7 and latter takes you to Designer, not the Acrobat form tools. The latter are located in the tools menu.

• FLASH SECURITY FLAW / FLASH 10.1 BETA

  Re: Regarding the Flash security flaw, on the advice of an expert I installed ver 10.1 beta but now I can't stream audio. The players all say i need flash to play. But since I installed 10.1, don't I already HAVE Flash?

  Hi, Yes you do have the Flash Player, however the 10.1 is a prerelease and is still a "work in progress" This will be the next version of Flash Player when the final release comes out which I don't know yet when that will be.
  You can read about it here and if you want to Uninstall 10.1 and Install the shipped version, which is 10.0.45.2, page down until you see Uninstallers.
  http://labs.adobe.com/downloads/flashplayer10.html
  This is a thread that gives a little more info:
  http://forums.adobe.com/thread/653155?tstart=0
  Thanks,
  eidnolb

• Security Flaw: Screen Saver Authentication

  Hi,
  I have found a security flaw, it exists in both Panther and Tiger. If a system has 2 accounts, the first account being active and locked through a screen saver. The second account (if administrator) can type their username/password in the authentication screen, and it will unlock the first account. This works if the first account is an administrator or not. Any administrator username/password will authenticate any other account from the screen saver authentication box. I have proven this on 2 machines, a D2.5 G5, and a 1.6 iMac G5.
  Please contact me for further testing.

  it's not a TECHNICAL flaw, it is however a logical flaw, yes.
  Because admins are part of the sudoers files, one admin does have the permission to unlock another admin like that, the same as how when logged in with one account you can use another admin account to authorize the installation of software (why it's not necessary to be logged in with your admin account)
  The behavior I suspect you desire is the behavior Windows uses, where when you use an admin account to unlock a computer, it logs out the user who locked it (assuming the admin isn't the one logged in).
  I suggest you submit a feature request to Apple.

• Adobe Reader 9 security issues

  Maybe this is old news-first announced 2/24- but just came across it. Described there as "critical." Reduce vulnerability by disabling javascript in Reader preferences. Patch expected 3/11.
  http://www.adobe.com/support/security/advisories/apsa09-01.html
  Message was edited by: WZZZ

  Thanks for the tip, wasn't aware of it myself....
  I found it completely by chance. Adobe certainly doesn't exactly go out of their way to publicize these things. They just did an important security update to Flash 10-found also by chance- and there isn't even an updater in Flash 10.
  I know you don't use it anyway, but for anyone needing PDF, could always fall back on Preview, I guess, until this thing gets fixed.

• The Moon Worm - Infects Home Routers - Shows Fake "Adobe Flash Critical Update Required" Message

  Greetings,
  This morning we had numerous workstations pop up with an Adobe Flash error.  The browser will be taken over by an Adobe Flash Critical Update Required page and won't let the browser go to any other internet site.  Within the page, a box will pop up that says:  "Attention!  your current version of Adobe Flash Player is outdated!  Your computer is vulnerable to malware now.  Update your Adobe Flash player now."
  This message pops up on IE Explorer version 9-11, Google Chrome and Firefox and the operating systems are Windows XP Pro and Windows 7 pro.  It has all the behavior of a virus or malware so I don't want to run it's download file which is named install_flashplayer_12_x32_64_msaa_aax_latest.exe.
  I've been able to download both flash player installs from the Adobe.com site for both IE and Other Browsers.  Sometimes I've been able to run the installs and it shows that the download and install ran okay with Adobe Flash Player 12 ActiveX showing up in the installed programs list.  Other times, the install won't run and the install file mysteriously gets deleted.  Even after the successful download and install, the browser works briefly okay and then gets seized by the "Critical Update Required" page again.
  We're running AVG Anti-Virus Business Edition which is kept updated.  A scan with this program and an updated version of Malwarebytes isn't showing any viruses or malware that could cause this problem.
  What can I do to get rid of this "Critical Update Required" problem and get our browsers working again?
  Thanks.
  Bill J., Lexington, KY

  I have a Cisco E3000 Wireless N Router. I was having the issue accross OSX and Windows. This thread was a big help, but when I tried to get the latest firmware from Cisco I found the download link was no lnger present. I chatted with their support and obtained the following info if it helps anyone:
  "Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default."
  " If you have not enabled the Remote Management Access feature of the router, you are not susceptible to this specific malware. If you have enabled the Remote Management Access feature, we can prevent further vulnerability to your network by disabling the Remote Management Access feature and rebooting your router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."
  "What we can do to fix this issue is to make sure that the router's security settings is enabled and the remote management is disabled."
  "Ensure that the Filter Anonymous Internet Requests on the Security Page is enabled."
  "The next step would disconnect us from the session. We need to reboot the router to clear the cache."
  "According to the system, your product is already outside the complimentary assisted support period. I’d just like to inform you that we normally charge a fee for supporting this type of issue,
  but since we’re seeing a potential hardware problem with the product, we’ll be extending complimentary support just this one time."
  "We also need to upgrade the Firmware. However, the Firmware for this router is no longer available for download. Disabling the remote management on your router and securing it would help fix the issue."
  I did find the latest firmware for the E3000 here: http://www.userdrivers.com/LAN-Network-Adapter/Linksys-E3000-Wireless-N-Router-Firmware-Up date-1-0-04-build-6/download/

• IPhone location tracker - still a security flaw?

  I hear a lot about a security flaw in the iPhone OS, allowing others to track the location of my phone without my consent and with no straightforward way to protect myself.  On the internet, I see semi-legal app's offered, said to track any iPhone, "just enter the phone number".
  First - is this still true?  I have updated to the latest iOS5.
  If not, what are the settings I need to be aware of?
  If yes, has Apple announced a plan to plug that security flaw?
  Short of jailbraking my phone and installing unauthorized software - what can I do about it?
  /Lars

  There is not, and never was, a security flaw in iOS that allows or allowed others tot track the location of the phone.
  The "apps" you see are generally bogus. They are "joke" apps. They can NOT do what they appear to do. It's simply not possible.
  ... unless ...
  If the phone is jailbroken, tracking apps can be installed. If your phone is not jailbroken, you have nothing to worry about. The only way anyone could track the location of your phone would by by accessing your iCloud account and using Find my iPhone. So long as you keep your password secure, this isn't an issue.  Oh... and Find my Friends if you've agreed to share your location with someone.

• Screen Saver Password Protection - Security Flaw

  Although I have always felt OS X has been a solid and secure operating system, there continues to remain one painful, and blatant security flaw. I keep thinking that Apple will address the issue, but they certainly haven't done so thus far.
  Explanation:
  With any good security policy, and in any secure environment, there will always be a need to "lock" (password protect) a system when not in use. That is, after 'X' period of time, the user interface is password protected so as not to allow access to the system while not in use. This is probably the most common and fundamental security measure in any environment. However, Apple's (GUI) password protection falls short in a number of ways. The only current method of password protecting the user interface is through the Screen Saver. Although at a glance it appears functional, it is a poor design and is easy to disable.
  The screen saver configuration lies within two files; the ~/Library/Preferences/com.apple.dock.plist and ~/Library/Preferences/ByHost/com.apple.screensaver.<variable>.plist. It is especially important to note that both of these files are located in the users home folder, which gives them full access to the configuration files. There is absolutely nothing preventing a user from deleting these files, and thus, disabling the only mechanism to password protect the user interface. Giving the user the ability to disable or remove ANY security related configuration is a poor design.
  Now initially we thought we had a solution by setting the user immutable flag on the ByHost screen saver plist using chflags. This would still allow user access, but would prohibit them from deleting the ByHost plist. Well, it sounded good in theory. However, if ~/Library/Preferences/com.apple.dock.plist is deleted, you can say goodbye to your password protected screen saver, despite locking the screen saver plist. So naturally the idea occurred to me to set the user immutable flag on ~/Library/Preferences/com.apple.dock.plist. This works, but makes it impossible to modify the Dock. Needless to say, if the Dock can't be modified, there's no point in even having it.
  Now that isn't the only thing wrong with the screen saver password protection. You would expect that an administrator could unlock a users (password protected) screen saver, but you would also assume that the user was logged off as a result. Not in this case... If an admin unlocks a password protected screen saver for a user, they are now logged in as that user and have access to everything the user was doing when it was locked (email, spreadsheets, confidential information... anything). This is not the preferred method. If for some reason an admin needs to unlock a password protected screen saver, it should log off that user, not allow access to the user's session.
  Finally, the biggest flaw yet. With a recent update, the password protection doesn't even work, as indicated by several people in the following threads.
  http://discussions.apple.com/thread.jspa?messageID=2706417&#2706417
  http://discussions.apple.com/thread.jspa?messageID=1950444&#1950444
  http://discussions.apple.com/thread.jspa?messageID=2648700&#2648700
  I have personally seen this issue while developing our corporate OS X image. Despite any fix or workaround, the simple fact that this has occurred is disturbing. ...As if the design wasn't bad enough, it now has the potential to stop working entirely.
  Now don't get me wrong, I love OS X and prefer to work on it over any other operating system. Nonetheless, the current design for the "screen lock" is inadequate at best. For a large enterprise environment with stringent security requirements, it's far from sufficient. My hope in posting this is that someone from Apple acknowledges the design flaw and incorporates a more effective solution into the next OS.
  MacBook   Mac OS X (10.4.6)  

  One thing I forgot to mention is that "Workgroup Manager.app" is a part of the "Server Admin Tools" which can be downloaded free from Apple. Although it seems to be primarily intended to be used to configure OS X Server from an OS X Client machine, many of its functions can be used to configure the OS X Client machine itself, in the complete absence of OS X Server. Unfortunately, the 'mcx_settings' aren't really "image friendly" - as far as using them on OS X client is concerned, they are something that seem to need to be applied to user accounts individually (although it is possible to copy all of the settings at once so it isn't necessary to go through the whole configuration process for each setting for each user). I have tried tinkering and applying them to groups, but group members don't seem to automatically be restricted (I may be missing something). The "tools" are available here:
  http://www.apple.com/support/downloads/serveradmintools104.html
  I don't know if it would be any better than the screen saver "hot corner", but there is an option to lock the screen from the "Keychain Access" menu extra, which can normally be enabled through "/Applications" > "Utilities" > "Keychain Access.app", from its "Preferences". This setting is then stored in the "com.apple.systemuiserver.plist" file (ie independent of the "Dock"), but could in principle be controlled from 'mcx_settings' as well. The level of control seems to be incomplete - the user can still drag the item off of the menu bar, but it returns during the next login. However, it does provide convenient access to a method to lock the screen and keychains, and has a nice "padlock" icon so that its function is obvious. It is also potentially possible to assign a two-step keyboard shortcut to the "Lock Screen" item, but it would be somewhat less convenient than a direct key combo...
  One other note regarding the "admin" user's ability to unlock the screensaver. The configuration file allowing the "admin" user to do this is "/etc/authorization", under 'system.login.screensaver'. Currently, the "rule" is set to 'authenticate-session-owner-or-admin'. Changing it to 'authenticate-session-owner' would be expected to remove the "admin" user's ability to unlock the screensaver, and if "Fast user switching" is available, the "admin", being unable to authenticate, should be able to switch to the "login window" from the authentication dialogue. I haven't tested this at all in "Tiger", but in "Panther", there was apparently a problem with it (which is why it had slipped my mind since at the time it was rejected as a viable option) - the person who posts here as "LittleSaint" had mentioned some problem with user logins when set up that way but I don't remember what it was, and so can't test if it has been fixed in "Tiger" (not very reassuring, and I apologize). And again, this is a setting that an "admin" would be able to reverse for themselves. Also, should "Fast user switching" become disabled for some reason, and the screen saver kicks in and the user isn't available, it might be a hassle to get back into the machine (it might be possible to do something over ssh). Nevertheless, it might be something to look in to.

• Critical security patches on Solaris 9

  Hi.
  My director asked me to install critical security patches on our solaris 9 servers. Previously I downloaded that 9_recommended patch from sunsolve.com and install the whole patch clusters. My question is how can I ONLY get all those patches which are critical to the security issue? The recommended patch cluster includes a lot patches which are not relevant to security.
  BTW, does anybody know some autopatching tools?
  Thank you very much!

  PatchPro is probably what you want. It should be available at
  http://sunsolve.sun.com
  -- richard