Flash Exploit can nail early versions of Android

Adobe has announced a critical vulnerability in Flash Player 10.2.153.1 and earlier versions which may, and we do underscore MAY, affect early versions of the Android OS. The vulnerability causes a crash and could also allow a savvy attacker to take control of affected systems. It is usually triggered by an infect .swf file embedded into a Microsoft Word document delivered as an email attachment. Now, granted, this is going to be rare for the Android platform but Adobe felt it important enough to mention that early versions of the Bot OS may be affected.

So if you have an old G1 that you’re hanging onto, you may want to steer clear of using Flash until adobe gets a fix out, which is currently scheduled for June 14, 2011 as part of their quarterly security update schedule. Yeah, June. You’d think if Adobe though this was important enough to mention, and exploits always are, that they’d have a regular update schedule like Microsoft does with Windows. I mean, QUARTERLY?

Then again, if you are still using an G1 or early model Android handset, you’re probably WAY due to upgrade anyway. There’s plenty of great handsets out there and many are free. I mean, we know the G1 was the first and all, but come on, get with the program! Seriously, this likely much ado about nothing for your average AC reader, but its always a good idea to keep up on what attackers are trying to do in case something pops up that nobody saw comin.

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

Release date: April 11, 2011

Vulnerability identifier:APSA11-02

CVE number: CVE-2011-0611

Platform: See “Affected software versions” section below for details
Summary

A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

We are in the process of finalizing a schedule for delivering updates for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.2) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.
Affected software versions

* Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
* Adobe Flash Player 10.2.154.25 and earlier for Chrome users
* Adobe Flash Player 10.2.156.12 and earlier for Android
* The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.
Severity rating

Adobe categorizes this as a critical issue.
Details

A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

We are in the process of finalizing a schedule for delivering updates for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.2) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at http://blogs.adobe.com/psirt or by subscribing to the RSS feed at http://blogs.adobe.com/psirt/atom.xml.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

Acknowledgments
Adobe would like to thank Mila Parkour (http://contagiodump.blogspot.com) for working with Adobe on this issue to help protect our customers.

continue reading…

Adobe And Zend Launch Flash Builder 4.5 For PHP Development

Adobe and Zend Technologies, the PHP distribution company, are announcing Flash Builder 4.5 for PHP software, a new integrated product aimed at helping PHP developers create rich Internet applications for mobile, Web and desktop leveraging the Flash Platform.

Zend, which has been working with Adobe since 2008, offers its own distribution of PHP, the popular open-source scripting language for Web applications, and sells software and support services around the language.

The Flash Builder 4.5 for PHP gives developers a single code base for applications for Android, Blackberry Tablet OS and iOS while sharing code from Web applications. Adobe Flash Builder 4.5 for PHP includes an integrated copy of Zend Studio 8, which allows developers to develop Flash based applications within a single environment. Specifically, the integrated software offers a single UI framework to create Flex and PHP projects for desktop and mobile and the ability to connect to PHP services and generate ActionScript value objects.

The combination of the two frameworks in one suite is powerful, says Zend CEO Andi Gutmans. Adobe says that more than 131 million smartphones are expected to have Flash Player installed by the end of the year. And PHP is the leading language for public facing web applications, says Gutmans.

It’s good to see Zend back on the mend, after a rough patch a few years ago.

continue reading…

Flash 10.2 Arrives on Android, Brings Flash to Tablets

Adobe has finally released Flash Player 10.2 for Android. Its release marks the availability of Flash for Android 3.0.1 Honeycomb, Google’s OS for tablets.

While Flash 10.2 for Android boasts performance enhancements that improve the experience on mobile, the thrust of this update is to bring Flash to tablet devices like the Motorola Xoom. Adobe says it has been working closely with Google “to ensure tight integration and optimization between Flash Player 10.2 and new OS and browser capabilities.”

The result, Adobe says, is an integrated and fully functional browsing experience. Adobe wanted to make sure a web page with Flash appeared on Android tablets the way it does on the desktop, in the way intended by the page designer.

While Flash 10.2 for Android 2.2 and 2.3 is a production general availability release, Flash 10.2 for Android 3.0 is a beta release. In the next few weeks, Adobe intends to release GA version of Flash 10.2 for Android Honeycomb that enables hardware acceleration and Stave Video support.

Support for Stage Video and hardware acceleration was added to Flash Player 10.2 for the desktop, which was released last month. Combined, these technologies should improve the playback of HD video video and embedded content on tablet devices.

Flash 10.2 for Android 2.2, 2.3 and 3.0.1 is available for download in the Android Marketplace.

• Powered By WizardRSS.com | Full Text RSS Feed | WordPress Plugin

continue reading…

Flash Player 10.2 Up Now for Android, Incorrectly Listed as 10.1

As you might have guessed, today is indeed the day that Adobe releases their new version of Flash Player, that being Flash Player 10.2, to the world. However, there is a bit of a complication in the title, as in some places it’s listed as Flash Player 10.1, and in others it’s listed as 10.2. The correct link for the update is below, but before you go there, make sure your firmware is updated to the point it’s supposed to be at, especially if you’re using the Motorola XOOM.

To get the update you need on your XOOM, all you’ve got to do is go to Settings, then About Tablet, then System updates. If when you click this button your tablet informs you that your system is currently up to date, more than likely you’re set to go. If you are sure you did not receive [this update] which would bump you up to Build number HRI66 and Android version 3.0.1.
To get the new version of Flash, head over to [this link right here] which goes directly to the Android Market where you’ll be able to install or, if you’ve got a device that already worked with Flash, simply update. If you hit this link with your tablet and it shows up as 10.1, don’t fret, install it anyway. Soon it will be listed as 10.2 and all will be well. Meanwhile you’ll have Flash and your life will become all roses and daisies.
Also note that they’re calling this a BETA release for Android 3.0.1+ tablets and a “finished production quality release for Android 2.2 and Android 2.3 devices.”

BONUS here’s the product description:

Bring the FULL web to your device with Flash Player- videos, games, apps & more

Flash Player enables a FULL web browsing experience.

NOTE: This is a finished production quality release for Android 2.2 and 2.3 devices and a BETA release for Android 3.0.1+ tablets. Please check with your device manufacturer or carrier to ensure you have the latest firmware update for your device.

Flash Player delivers access to your favorite web videos, games and interactive content. Flash Player on your device gives you:

• The freedom to access the same rich web content you experience on a desktop PC from your mobile device – anywhere, anytime; 
• Uncompromised browsing without ‘empty boxes’ on web pages.

For optimal performance and the most immersive experience on Android 3.0.1+ tablets, view Flash Player delivered content in full screen by using the menu buttons provided by content providers, or by tapping content once followed by a long tap to bring down a button in the upper left corner which can be tapped to enable full screen mode.

By clicking “Install” I agree to the License Agreement terms at http://adobe.com/go/eum. Manage your privacy settings at https://settings.adobe.com/flashplayer/mobile.

continue reading…