Clean Briefs
In case you missed it (or your commonly installed Windows Adobe products did at least), this past week or so a few security issues got patched in updates to Adobe’s Flash and Air products.
- Several holes closed in Adobe Flash Player - The H Security: News and Features
- Adobe flash player and air patched – ISC SANS Handler’s Diary post. From that post by Swa Frantzen:
Read more about it in the apsb09-19 bulletin from adobe.
The reason behind it are 7 vulnerabilities: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800 and, CVE-2009-3951 of which 6 lead to arbitrary code execution and the last one is a windows-only issue leading to unauthorized information disclosure, related to CVE-2008-4820.
Additional information in post updates suggests that Adobe will be abandoning Adobe Flash 9 pretty much as it marches forward with version 10.
While Adobe Reader will (depending on configuration) offer a reminder you have an update to apply, Flash and Air do no such thing in my Windows sysadmin experiences. You just have to pay attention and know to update.
For those wishing linkage for some strange reason, find the latest version direct from Adobe here:
- Get Adobe Flash Player at Adobe.com
- Get Adobe Air at Adobe.com
- Get Adobe Shockwave Player at Adobe.com
- Get Adobe Reader at Adobe.com
For an alternative (and trusted alternative) I prefer to get my off-line update packages for Adobe from FileHippo.com.
- Download Flash Player 10.0.42.34 (Non-IE) - FileHippo.com.
- Download Flash Player 10.0.42.34 (IE) - FileHippo.com.
- Download Adobe Air 1.5.3.9120 - FileHippo.com.
- Download Shockwave Player 11.5.2.602 - FileHippo.com.
- Download Adobe Reader 9.2 - FileHippo.com.
- FileHippo's Adobe catalog of downloads – One-stop shopping
Next-Gen Adobe Flash/Air Beta’s out
You may or may not also be aware of the fact that Adobe has publically available “Beta” versions of Air and Flash out. I’ve been using these on all my systems with no ill effects. Performance seems just fine, if not a bit better than the stable “current” release levels of the products.
- Adobe Flash 10.1 and AIR 2.0 Betas Released: Life Is Better Now - Gizmodo.
- Adobe Air 2 goes beta, adds tons of new features, sucks a whole lot less - DownloadSquad
For the curious you can get them directly from the Adobe Labs Homepage
Or from FileHippo.com as well.
- Download Flash Player 10.1.51.45 Beta (IE) - FileHippo.com.
- Download Flash Player 10.1.51.45 Beta (Non-IE) - FileHippo.com.
- Download Adobe Air 2.0.0.10760 Beta - FileHippo.com.
Redaction Fail
In unrelated, related news to Adobe appears someone(s) from deep within the bowels of the TSA is(are) now emptying their bowels due to an unfortunate Adobe Acrobat document redaction FAIL.
- TSA can’t redact documents properly, releases s00per s33kr1t operations manual - Boing Boing
- Screening Management SOP – The Wandering Aramean blog.
- TSA Publishes Standard Operating Procedures – Schneier on Security. Contains notice and links to two event updates: TSA puts 5 on leave after security manual hits Internet - CNN.com and Did The TSA Compromise An Intelligence Program? - The Atlantic Politics Channel
Which apparently all could possibly have been avoided had the l33t TSA cyberteam used an updated version of Adobe Acrobat Professional…
…or maybe just bothered to read one of the following other sister-agencies “redaction for dummies” guides…
More Redaction Resources and How-To’s
Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF (PDF) - National Security Agency Redaction of Information – USCourts.gov Redaction of Confidential Information in a Document (PDF) – NASA.gov
Without a trace -- Government Computer News
Speaking of hiding/finding Data in PDFs…
I wonder what our resident forensics expert on Adobe PDF documents makes of the situation…
Goodness knows he’s the expert in all things hidden and exposed in PDF files!
This wonderful cruise-ship jaunt by the TSA might be causing a new wave of web-accessible PDF searches and examinations of redacted PDF documents for fun and entertainment.
And yet, I wonder if we aren’t all coming out wiser citizens in some way…
So with that in mind I say, “Thanks, TSA.” I really do believe you’ve taught us some valuable security lessons in the name of public policy and operational transparency redaction methodology.
--Claus V.
No comments:
Post a Comment