Adobe Flex Cross-Scripting Vulnerability

There is a bug in the Adobe Flex 3.3 SDK (Software Development Kit) that may make websites using code developed by the kit vulnerable to cross-site scripting attacks. It has been fixed in the Adobe Flex 3.4 SDK, which you can download here. Adobe credits Adam Bixby of Gotham Digital Science for finding the bug.

Patches for Adobe ColdFusion

There are some bugs reported in Adobe ColdFusion and JRun, which may allow remote attackers to run cross-site scripting attacks, or to steal information. Secunia has more information, as well as links to patches. If you are a website admin running ColdFusion, you better check it out.

Adobe Becomes More of a Target

ZD Net points out that security weaknesses in Adobe products are becoming an increasing target of cyber-attackers. What is significant about that is that most computer users have either Adobe Reader or Adobe Flash Player, or both, on their systems. That makes security holes in those programs a fat, juicy target.

Adobe Patches Flash Player

Adobe has an update available for the Adobe Flash Player v9.0.159.0 and v10.0.22.87 for Windows, Macintosh, Linux and Solaris, Adobe AIR, as well as in components of the Adobe Reader and Adobe Acrobat 9. There is a bug in the way the Flash player parses URLs that could allow an attacker to run hostile code via a carefully poisoned URL.  You can get updates at the Flash Download Center, the Air Download Center, and via the Acrobat Update.

Adobe Finds Critical Flash Bugs

Adobe says their Flash 9 and 10 (v9.0.159.0 and v10.0.22.87) Players for Windows, Mac OS X, and Linux have a critical vulnerability that may allow an attacker to completely take over your computer. Patches should be coming along any day now. Keep an eye on this page for updates.

Acrobat 9 Critical Update

Adobe has a critical update for Acrobat 9 Standard and Pro here.It fixes a critical security vulnerability that Adobe discusses in this bulletin, and that the BugBlog covered on July 21.

Serious Adobe Flash Attack

According to ZD Net, a new bug has been discovered in Adobe Flash and attackers are already exploiting it via poisoned PDF files.  Adobe is working on a fix, although they have workaround information here. You can find out more from Symantec

Adobe Reader Security Bugs

Security researchers at Secunia issued a report on July 20 saying that the Adobe Reader update process will leave users with a vulnerable version of the software. On July 21, Adobe admitted that Secunia was right. As a spokesperson said ""The intended behavior of the updater is that when you launch Reader for the first time, it will check if there are any updates available. That's its intended behavior, but there are a lot of [PC] configuration factors that might lead to different behavior." It appears that Adobe will be playing catch-up in getting fully patched versions of Reader out through the update process

PDF and JavaScript Behaving Badly

U.S. CERT has a security bulletin pointing out a way that JavaScript can be exploited in an Adobe Acrobat PDF document to run hostile code. According to the Feds, there is no "practical solution" to the problem yet. One thing you can do is turn off JavaScript support in Adobe Acrobat or Reader. See how to do this, and other prevention tips, here.

Damaged Help in Adobe CS4

Try to open help in Adobe Photoshop CS4, and you may get this error message: "There was an error launching the Adobe Help application. You may need to re-install the application and the Help component."According to Adobe, the problem is in the Windows Registry entries that have the settings for HTTP. You may be able to fix this by re-setting your default browser. Otherwise, you may have do to some Registry fixing. See http://kb2.adobe.com/cps/409/kb409022.html for the gory details - and be careful when editing the Registry.