My next class:

Today's Adobe Patches and Vulnerablities

Published: 2010-11-04. Last Updated: 2010-11-04 22:27:50 UTC
by Johannes Ullrich (Version: 1)
19 comment(s)

It is not easy to keep up with Adobe these days. Patches and new exploits are almost released on a daily schedule. So here is the current "State of Adobe" the way I see it:

Product Latest Version Latest Vulnerabilities
PDF Reader 9.4.0

version 9.4.0 (latest version) is vulnerable
Adobe Reader Unspecified Memory Corruption Vulnerability
Secunia #SA42095, no CVE Number assigned yet

Flash Player 10.1.102.64 version 10.1.85.3 is vulnerable. Patch released today (Nov. 4th)
"Authplay Vulnerability"
CVE-2010-3654
Shockwave Player 11.5.9.615 11.5.9.615 (latest version) is vulnerable
Shockwave Settings" Use-After-Free Vulnerability)
Secunia# SA42112, no CVE Number assigned yet
Acrobat 9.4.0 version 9.4.0 (latest version) is vulnerable
"Authplay Vulnerability"
CVE-2010-3654

 

Air 2.5 version 2.0.3 is vulnerable (old version)

 Please let me know if you have corrections, or better if you find a simple overview about "the state of Adobe bugs" on Adobe's own site. Any Adobe people out there: Feel free to copy the concept :). This table will be "frozen" to today's state and we may update similar, updated tables in the future as a new article.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: adobe
19 comment(s)
My next class:

Comments

Holy moley, this will be helpful! Thanks! :)

I'd encourage Adobe to focus less on pushing partnered content (web browser toolbars or a/v products) with the Adobe product downloads, and instead create a support page that serves the exact purpose as what Johannes has created here.

Also, links to such things as the tests to confirm installation of Flash/Shockwave/Air could be included there, too. Extra points would be awarded if the tests would accurately identify installed version numbers.

In the meantime, thanks again!
The FlashPlayer page http://www.adobe.com/software/flash/about/ will show you your installed version and the current versions. The Shockwave player page http://www.adobe.com/shockwave/welcome/ shows your installed version if you hover over the sample, but does not show current versions.
I can't imagine why Adobe hasn't made these pages consistently useful...
In the newest issue (table's first issue) Adobe provides a workaround for Adobe Reader versions 9.2 and 8.1.7 or later:
http://blogs.adobe.com/psirt/2010/11/potential-issue-in-adobe-reader.html
Additionally, it states that Adobe Acrobat is not affected.
We still have https://www.mozilla.com/en-US/plugincheck/ to go to for pluginchecks, for most browsers (IE and Opera tested today).

At the present it still says Flash Player 10.1.85.3 is CURRENT but I hope this is updated shortly.

It finds the "Microsoft Office 2010" plugin, but does not know what it is.
Very useful table.

Maybe another column titled "Update Available" stating "Yes", "ETA dd.Mmm.yy" or "No" would make the table easier to read / script.. :)

I wish we could all agree on one location and format for this table, for all operating systems and applications. That way software authors and users would only need to update / check once.. Utopia!
Latest Flash Player version is 10.1.103.19
@Juanma
Flash Player version 10.1.102.64 reads as version 10.1 (r102) - at least for the Windows version of Flash Player.
For those scripting these things there is an updated Flash Uninstaller;
uninstall_flash_player.exe (228 KB) (updated 04.Nov.2010).
http://kb2.adobe.com/cps/141/tn_14157.html?promoid=DTEGO
@Juanma - I am abit worried that you are referring to a version I can't see on Adobe's pages. No offense, but I'm afraid I have to give advice to ISC readers that you should NOT run to Google to search for the 10.1.103.19 version.. ;-)

I'd trust http://www.adobe.com/software/flash/about/
Why does Adobe make it next to impossible to simply download the updated version without installing?

Diary Archives