The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Adobe

Adobe Releases Security Patch Updates For 112 Vulnerabilities

Adobe Releases Security Patch Updates For 112 Vulnerabilities

July 10, 2018Swati Khandelwal
Adobe has released security patches for a total 112 vulnerabilities in its products, most of which have a higher risk of being exploited. The vulnerabilities addressed in this month's patch Tuesday affect Adobe Flash Player, Adobe Experience Manager, Adobe Connect, Adobe Acrobat, and Reader. None of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild. Adobe Flash Player (For Desktops and Browsers) Security updates include patches for two vulnerabilities in Adobe Flash Player for various platforms and application, as listed below. One of which has been rated critical (CVE-2018-5007), and successful exploitation of this "type confusion" flaw could allow an attacker to execute arbitrary code on the targeted system in the context of the current user. This flaw was discovered and reported to Adobe by willJ of Tencent PC Manager working with Trend Micro's Zero Day Initiative. Withou
Adobe is Finally Killing FLASH — At the End of 2020!

Adobe is Finally Killing FLASH — At the End of 2020!

July 26, 2017Swati Khandelwal
Finally, Adobe is Killing FLASH — the software that helped make the Internet a better place with slick graphics, animation, games and applications and bring online video to the masses, but it has been hated for years by people and developers over its buggy nature . But the end of an era for Adobe Flash is near. Adobe announced Tuesday that the company would stop providing updates and stop distributing Flash Player at the end of 2020. The move has been applauded by many, as Adobe Flash has been infamous for frequent zero-day attacks , which is why it has long been one of the favourite tools for hackers and cyber criminals. It's been two decades since Adobe Flash has ruled the Web Space Animation Arena, which was the de facto standard for playing the online videos, but hackers increasingly found ways to exploit security holes in the technology and hack into user's computers. "We will stop updating and distributing the Flash Player at the end of 2020 and encoura
Microsoft Releases 4 Security Updates — Smallest Patch Tuesday Ever!

Microsoft Releases 4 Security Updates — Smallest Patch Tuesday Ever!

January 11, 2017Swati Khandelwal
In Brief Microsoft has issued its first Patch Tuesday for 2017 , and it's one of the smallest ever monthly patch releases for the company, with only four security updates to address vulnerabilities in its Windows operating system as well as Adobe Flash Player. Meanwhile, Adobe has also released patches for more than three dozen security vulnerabilities in its Flash Player and Acrobat/Reader for Windows, MacOS, and Linux desktops. According to the Microsoft Advisory, only one security bulletin is rated critical, while other three are important. The bulletins address security vulnerabilities in Microsoft's Windows, Windows Server, Office, Edge and Flash Player. The only security bulletin rated as critical is the one dedicated to Adobe Flash Player, for which Microsoft distributed security patches through Windows Update. Other security bulletins that addresses flaws in Microsoft products are as follows: Bulletin 1 — MS17-001 This security update resolves just one v
Microsoft Patches 5 Zero-Day Vulnerabilities Being Exploited in the Wild

Microsoft Patches 5 Zero-Day Vulnerabilities Being Exploited in the Wild

October 12, 2016Swati Khandelwal
Microsoft has released its monthly Patch Tuesday update including a total of 10 security bulletin, and you are required to apply the whole package of patches altogether, whether you like it or not. That's because the company is kicking off a controversial new all-or-nothing patch model this month by packaging all security updates into a single payload, removing your ability to pick and choose which individual patches to install. October's patch bundle includes fixes for at least 5 separate dangerous zero-day vulnerabilities in Internet Explorer, Edge, Windows and Office products that attackers were already exploiting in the wild before the patch release. The patches for these zero-day flaws are included in MS16-118, MS16-119, MS16-120, MS16-121 and MS16-126. All the zero-days are being exploited in the wild, allowing attackers to execute a remote command on victim's system. Although none of the zero-day flaws were publicly disclosed prior to Tuesday, the company wa
Adobe Releases Emergency Patch for Flash Zero-Day Vulnerability

Adobe Releases Emergency Patch for Flash Zero-Day Vulnerability

June 25, 2015Swati Khandelwal
Adobe has rolled out an emergency software patch for its Flash Player to patch a critical zero-day vulnerability that is already exploited by the hackers in the wild. The company said the flaw could potentially allow hackers to take control of the affected system and that it had evidence of " limited, targeted attacks " exploiting the flaw. Therefore, Adobe is urging users and administrators to update their software immediately. About the Zero-day Flaw: The vulnerability, assigned CVE-2015-3113 , is a remote code execution bug that enables hackers to take control of an affected computer system. Cyber crooks are already exploiting this zero-day vulnerability in the wild in an effort to hijack computers, targeting systems running Internet Explorer on Windows 7 and Firefox on Windows XP . The vulnerability was discovered and reported by FireEye researchers, who first noticed the flaw actively exploiting in a phishing campaign to target companies
Firefox Browser to Enable Controversial HTML5 DRM to Stop Piracy

Firefox Browser to Enable Controversial HTML5 DRM to Stop Piracy

May 16, 2014Mohit Kumar
The Music Industry, Movie Studios and other companies who create media contents are always concerned with people getting access to their content without paying for it. Last year, On Request of Big Tech companies such as Microsoft, Google and Netflix, The World Wide Web Consortium (W3C) defined a new API (Application Programming Interface) called ' Encrypted Media Extensions (EME) ' in HTML5 to aid web-based video services in restricting the rights of users who utilize their services. Now the companies won't need to rely on third-party plugins like Flash and Silverlight to deliver copy-protected movies and TV shows to your browser. Instead, now they have same capabilities of Digital rights management (DRM)  right into the fabrics of the web. All other major modern web browsers, including Internet Explorer, Chrome, and Safari are supporting  Encrypted Media Extensions (EME)  within the web browser since last year, except Mozilla Firefox . Even after criticizing the use o
Microsoft and Adobe to Release Important Security Patches Next Week

Microsoft and Adobe to Release Important Security Patches Next Week

May 09, 2014Swati Khandelwal
Microsoft has released its advance notification for the month of May 2014 patch Tuesday security updates, that will patch a total of eight flaws issued next Tuesday , May 13. Among the eight vulnerabilities two of them are rated critical, rest all are rated important in severity. Just a week before, Microsoft provided an 'out-of-band security update' for all versions of Internet Explorer (IE) that were affected by the zero-day vulnerability , and since IE6 for Windows XP retired last month, even though it received patches for IE6 zero-day flaw. But, Microsoft has no plan to make any such accommodations this time. 13th MAY 2014 - MICROSOFT PATCH TUESDAY  Next week the security updates will include fixes for vulnerabilities including the critical one in Internet Explorer (IE), along with .NET Framework, Windows, Office and SharePoint for all versions of Windows except Windows XP.  " Our existing policy remains in place, and as such, Microsoft no longer supports
Adobe releases important Security Updates for Flash Player

Adobe releases important Security Updates for Flash Player

March 11, 2014Wang Wei
Adobe has released security updates to address important vulnerabilities in Adobe Flash Player 12.0.0.70 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.341 and earlier versions for Linux. The new build intends to address following vulnerabilities in Adobe Flash Player: CVE-2014-0503 ,  reported by security researcher, ' Masato Kinugawa ', that lets   attackers bypass the same-origin policy. Attackers can exploit this issue to access resources from another origin in the context of another domain. This can facilitate cross-site request-forgery attacks. CVE-2014-0504 , reported by ' Jordan Milne ',   that could be used to read the contents of the clipboard(). The Clipboard can be used to store data, such as text and images, but flaw could allow hacker to stuff malware URLs onto your clipboard. Adobe Security Bulletin APSB14-08 tagged the updates with  Priority 2 , ' This update resolves vulnerabilities in a product that
Update Adobe Shockwave Player to fix Critical Remote Code Execution Vulnerabilities

Update Adobe Shockwave Player to fix Critical Remote Code Execution Vulnerabilities

February 11, 2014Wang Wei
Adobe has released a security update to address critical vulnerabilities for Adobe Shockwave Player 12.0.7.148 and earlier versions of the Windows and Mac OS X systems. The Patch fixes two critical remote code execution vulnerabilities, that could potentially allow an attacker to remotely take control of the affected system. According to the Security  Advisory released by Adobe, the vulnerabilities labeled as CVE-2014-0500 and CVE-2014-0501, and very limited information is available at this moment. These vulnerabilities discovered and reported by Liangliang Song of Fortinet's FortiGuard Labs. ' An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. ' advisory explained. Adobe gave the update its highest 'Priority Ranking' of 1 , which indicates that a vulnerability is actively being targeted, or has
Growing market of zero-day vulnerability exploits pose real threat to Cyber Security

Growing market of zero-day vulnerability exploits pose real threat to Cyber Security

December 08, 2013Anonymous
NSS Labs issued the report titled " The Known Unknowns " to explain the dynamics behind the market of zero-day exploits. Last week I discussed about the necessity to define a model for " cyber conflict " to qualify the principal issues related to the use of cyber tools and cyber weapons in an Information Warfare context, today I decided to give more info to the readers on cyber arsenals of governments. Governments consider the use of cyber weapons as a coadiuvant to conventional weapons, these malicious application could be used for sabotage or for cyber espionage, they could be used to hit a specifically designed software (e.g. SCADA within a critical infrastructure ) or they could be used for large scale operations infecting thousand of machines exploiting zero-day in common application ( e.g. Java platform, Adobe software ). The zero-day flaw are the most important component for the design of an efficient cyber weapon, governments have recently created dedic
FBI warns that Anonymous Hackers has been hacking US Government for almost a year

FBI warns that Anonymous Hackers has been hacking US Government for almost a year

November 17, 2013Anonymous
The FBI is warning that members of the hacktivist group Anonymous hacking collective have secretly accessed US Government computers and stolen sensitive information in a campaign that began almost a year ago. The Hacktivists have exploited a flaw in Adobe applications to compromise the target systems and install software backdoors to maintain the control of the victims computers over the time, the facts dated back to last December, according to a Reuters report. The hacking campaign affected the U.S. Army, Department of Energy , Department of Health and Human Services, and other government agencies,  FBI reveals.  The Federal Bureau of Investigation memo called the hacking campaign " a widespread problem that should be addressed. " and provided useful information for system administrators that how to determine if their networks were compromised. Government investigators are investigating the scope of the hacking, believed that hackers are still operatin
Security updates for available for Adobe Flash Player and ColdFusion vulnerabilities

Security updates for available for Adobe Flash Player and ColdFusion vulnerabilities

November 13, 2013Mohit Kumar
Adobe released critical security patches for its ColdFusion web application server and  Adobe Flash Player for Mac, Windows and Linux. Adobe AIR and the AIR SDK and Compiler are also being updated. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system, dubbed as CVE-2013-5329, CVE-2013-5330. The following software versions are affected and should be updated as soon as possible: Adobe Flash Player 11.9.900.117 and earlier versions for Mac and Windows Adobe Flash Player 11.2.202.310 and earlier versions for Linux Adobe AIR 3.9.0.1030 and earlier versions for Windows and Macintosh Adobe has also released a security hotfix for ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and Linux, addresses two vulnerabilities: Cross-site scripting (XSS) vulnerability (CVE-2013-5326) Allow unauthorized remote read access (CVE-2013-5328) Both products have been patched mul
ASLR bypass techniques are popular with APT attacks

ASLR bypass techniques are popular with APT attacks

October 16, 2013Mohit Kumar
Address space layout randomization (ASLR) is a security technique involved in protection from buffer overflow attacks. Many recent APT (Advanced Persistent Threat) attacks have utilized many different ASLR bypass techniques during the past year, according to Researchers at  FireEye . Many exploits and malware attacks rely on the ability of the programmer to accurately identify where specific processes or system functions reside in memory. In order for an attacker to exploit or leverage a function, they must first be able to tell their code where to find the function or process to exploit.  The goal of ASLR  is to introduce randomness into addresses used by a given task. It involves randomly arranging the positions of key data areas of a program, including the base of the executable and the positions of the stack, heap, and libraries, in a process's address space.  Today a lot of attention is brought to client side exploits especially inside web browsers . Normally the e
Adobe Gets Hacked; Hackers Steal 2.9 million Adobe Customers accounts

Adobe Gets Hacked; Hackers Steal 2.9 million Adobe Customers accounts

October 03, 2013Mohit Kumar
Hackers broke into Adobe Systems' internal network on Thursday, stealing personal information on 2.9 million customers and the source code for several of Adobe's most popular products. This an absolutely massive blow to Adobe, especially their reputation. Adobe, which makes Photoshop and other programs, revealed that cyber attackers had access user information, including account IDs and encrypted passwords as well as credit and debit card numbers. The company did not specify which users of its various software programs were hit. But Products compromised in this attack include Adobe Acrobat, ColdFusion , and ColdFusion Builder. " We believe these attacks may be related. We are working diligently internally, as well as with external partners and law enforcement, to address the incident. " the company said in a customer security alert . Adobe's Arkin says the company is not aware of zero-day exploits or other specific threats to its customers due to the
BlackBerry Z10 Privilege Escalation Vulnerability

BlackBerry Z10 Privilege Escalation Vulnerability

June 18, 2013Mohit Kumar
BlackBerry Z10 users should be aware that there is a privilege escalation vulnerability. The vulnerability potentially allows a hacker to modify or edit data on a stolen BlackBerry Z10 smartphone with BlackBerry Protect enabled, identified as BSRT-2013-006 (CVE-2013-3692) According to the advisory , an escalation of privilege vulnerability exists in the software 'BlackBerry® Protect™' of  Z10 phones, supposed to help users delete sensitive files on a lost or stolen smartphone , or recover it again if it is lost. " Taking advantage of the weak permissions could allow the malicious app to gain the device password if a remote password reset command had been issued through the BlackBerry Protect website, intercept and prevent the smartphone from acting on BlackBerry Protect commands, such as a remote smartphone wipe. " The company says that version 10.0.9.2743 is not affected and that they have found no evidence of attackers exploiting this vulnerability in
Patch released for critical Adobe vulnerabilities

Patch released for critical Adobe vulnerabilities

February 20, 2013Mohit Kumar
Today Adobe released a patch for two critical vulnerabilities (CVE-2013-0640 and CVE-2013-0641) that are already being exploited by attackers. Adobe released version 11.0.02 of its Adobe Reader and Adobe Acrobat Pro applications.  Vulnerabilities affect Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Mac OS X systems. " These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system ." security advisory  reads . Exploits were discovered by security company FireEye and researchers with antivirus provider Kaspersky Lab have confirmed the exploit can successfully escape the Adobe sandbox. Users can update the software through the built-in updater or by downloading a copy of the  Windows ,  Mac , or  Linux  installer directly from Adobe's website. 
Adobe Reader zero-day vulnerability with modified Blackhole Exploit-Kit

Adobe Reader zero-day vulnerability with modified Blackhole Exploit-Kit

November 08, 2012Mohit Kumar
Group-IB , a Russian cybercrime investigation company has discovered a zero-day vulnerability, affects Adobe Reader X and Adobe Reader XI. The vulnerability is also included in new modified version of Blackhole Exploit-Kit , which is used for the distributing the banking Trojans (Zeus, Spyeye, Carberp, Citadel) with the help of exploitation different vulnerabilities in client-side software. The particular exploit is available in underground forums for as much as $50,000 and bug is dangerous because it permits cybercriminals to run arbitrary shellcode by bypassing the sandbox feature integrated into the more recent versions of Adobe Reader. For now this flaw is distributed only in only small circles of the underground but it has the potential for much larger post-exploitation methods. The exploit is limited to  Microsoft Windows installations of Adobe Reader and it can't be fully executed until the user closes his Web browser (or Reader). Adobe representatives said that
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.