Saturday, December 12, 2009

Brief Adobe Update News

Clean Briefs

In case you missed it (or your commonly installed Windows Adobe products did at least), this past week or so a few security issues got patched in updates to Adobe’s Flash and Air products.

Read more about it in the apsb09-19 bulletin from adobe.

The reason behind it are 7 vulnerabilities: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800 and, CVE-2009-3951 of which 6 lead to arbitrary code execution and the last one is a windows-only issue leading to unauthorized information disclosure, related to CVE-2008-4820.

Additional information in post updates suggests that Adobe will be abandoning Adobe Flash 9 pretty much as it marches forward with version 10.

While Adobe Reader will (depending on configuration) offer a reminder you have an update to apply, Flash and Air do no such thing in my Windows sysadmin experiences.  You just have to pay attention and know to update.

For those wishing linkage for some strange reason, find the latest version direct from Adobe here:

For an alternative (and trusted alternative) I prefer to get my off-line update packages for Adobe from FileHippo.com.

Next-Gen Adobe Flash/Air Beta’s out

You may or may not also be aware of the fact that Adobe has publically available “Beta” versions of Air and Flash out.  I’ve been using these on all my systems with no ill effects.  Performance seems just fine, if not a bit better than the stable “current” release levels of the products.

For the curious you can get them directly from the Adobe Labs Homepage

Or from FileHippo.com as well.

Redaction Fail

Did I do that?

Yes, you did.

In unrelated, related news to Adobe appears someone(s) from deep within the bowels of the TSA is(are) now emptying their bowels due to an unfortunate Adobe Acrobat document redaction FAIL.

Which apparently all could possibly have been avoided had the l33t TSA cyberteam used an updated version of Adobe Acrobat Professional…

…or maybe just bothered to read one of the following other sister-agencies “redaction for dummies” guides…

More Redaction Resources and How-To’s 

  • Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF (PDF) - National Security Agency
  • Redaction of Information – USCourts.gov
  • Redaction of Confidential Information in a Document (PDF) – NASA.gov
  •  Without a trace -- Government Computer News

    Speaking of hiding/finding Data in PDFs…

    I wonder what our resident forensics expert on Adobe PDF documents makes of the situation…

    Goodness knows he’s the expert in all things hidden and exposed in PDF files!

    This wonderful cruise-ship jaunt by the TSA might be causing a new wave of web-accessible PDF searches and examinations of redacted PDF documents for fun and entertainment.

    And yet, I wonder if we aren’t all coming out wiser citizens in some way…

    So with that in mind I say, “Thanks, TSA.”  I really do believe you’ve taught us some valuable security lessons in the name of public policy and operational transparency redaction methodology.

    --Claus V.

    No comments: