Today's Adobe Patches and Vulnerablities
It is not easy to keep up with Adobe these days. Patches and new exploits are almost released on a daily schedule. So here is the current "State of Adobe" the way I see it:
| Product | Latest Version | Latest Vulnerabilities |
|---|---|---|
| PDF Reader | 9.4.0 |
version 9.4.0 (latest version) is vulnerable |
| Flash Player | 10.1.102.64 | version 10.1.85.3 is vulnerable. Patch released today (Nov. 4th) "Authplay Vulnerability" CVE-2010-3654 |
| Shockwave Player | 11.5.9.615 | 11.5.9.615 (latest version) is vulnerable Shockwave Settings" Use-After-Free Vulnerability) Secunia# SA42112, no CVE Number assigned yet |
| Acrobat | 9.4.0 | version 9.4.0 (latest version) is vulnerable "Authplay Vulnerability" CVE-2010-3654
|
| Air | 2.5 | version 2.0.3 is vulnerable (old version) |
Please let me know if you have corrections, or better if you find a simple overview about "the state of Adobe bugs" on Adobe's own site. Any Adobe people out there: Feel free to copy the concept :). This table will be "frozen" to today's state and we may update similar, updated tables in the future as a new article.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Microsoft Smart Screen False Positivies
We received a couple of reports about Microsoft's "Smart Screen" flagging harmless sites as malicious. Initially, we considered the possibility of an infected ad service. But it may be a bug in Smartfilter as well. Some reports on twitter [1] show that the problem has been resolved.
Please let us know if you have sample URLs that are still affected.
To disable smart screen: Select "Internet Options" from the "Tools" menu. Select the "Advanced" tab and find the "Enable SmartScreen Filter" setting (about the 10th item from the bottom. Scroll all the way down). Needless to say: This will also remove the smart screen protection from real-evil sites, not just from appear-to-be-evil-to-smartscreen-today sites. The setting should only be changed if you can't wait for the problem to be fixed.
[1] http://twitter.com/#!/search/%23smartscreen
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Microsoft Patches Pre-Announcement
Microsoft published its pre-announcement for next Tuesday's patch release [1]. Looks light and easy this time. A total of 3 patches. One for Office, one for Powerpoint and one for the Forefront Unified Access Gateway.
Note that the Office patch will apply to the just released Office for Mac 2011.
[1] http://www.microsoft.com/technet/security/bulletin/ms10-nov.mspx
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
DNSSEC Progress for .com and .net
VeriSign announced that starting December 9th, .net and .com domains will be authenticated using DNSSEC. Right now, signatures are available for .net and .com, but they are not yet valid. The roll out will happen in stages, similar to the roll out for the root zone.
Verisign also offers a nice DNSSEC debugger [2]. In case you implement DNSSEC, use it to test your zone, as well as a DNSSEC Test site [3] to check if your resolver uses DNSSEC.
[1] http://www.verisign.com/domain-name-services/domain-information-center/dnssec-resource-center/index.html
[2] http://dnssec-debugger.verisignlabs.com/
[3] http://test.dnssec-or-not.org/
[4] http://www.h-online.com/security/news/item/Fast-start-of-DNSSEC-with-net-and-com-1128982.html
and if you missed it... the solution is out for our DNSSEC related packet challenge: http://johannes.homepc.org/packet.txt
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments