>From today's DHS report, two stories: Adobe Systems Inc. on July 23 admitted its Flash and Reader software have a critical vulnerability and promised it would patch both next week. One security researcher, however, said Adobes own bug-tracking database shows that the company has known of the vulnerability for nearly seven months. The authplay.dll mentioned in the advisory is the interpreter that handles Flash content embedded within PDF files, and is present on any machine equipped with Reader and Acrobat. Adobe said it would patch all versions of Flash by July 30, and Reader and Acrobat for Windows and Mac no later than July 31. Until a patch is available, Adobe said users could delete or rename authplay.dll, or disable Flash rendering to stymie attacks within malformed PDF files. Adobe did not offer any similar workaround for Flash and could only recommend that users should exercise caution in browsing untrusted websites.
http://www.computerworld.com/s/article/9135826/Adobe_promises_patch_for_sev en_month_old_Flash_flaw Researchers on July 22 said they have uncovered attacks in the wild in which malicious Acrobat PDF files are exploiting a vulnerability in Flash and dropping a Trojan onto computers. Any software that uses Flash could be vulnerable to the attack, according to Symantec. Adobe Reader is vulnerable because its Flash interpreter is vulnerable, said the principal researcher at Purewire, a Web security services provider. In a post on its Web site, Adobe said it is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information. http://news.cnet.com/8301-27080_3-10293389- 245.html?part=rss&tag=feed&subj=News-Security (Just in case anyone's interested: http://www.foxitsoftware.com/pdf/reader/ ) ====================== (quote inserted randomly by Pegasus Mailer) [email protected] [email protected] [email protected] A lack of planning on your part does not necessarily constitute an emergency on my part. http://victoria.tc.ca/techrev/rms.htm http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
