The said bug, which can be exploited using a special TrueType font, can be used to execute arbitrary code. According to Miller, Adobe first learnt of the vulnerability from Google security engineer Tavis Ormandy. "Apparently @taviso previously reported to Adobe the Reader 0-day I dropped at BH. Haha, ruined his effort at trying to be responsible," Miller quipped in a Tweet Tuesday.
Tavis Ormandy was recently in the crosshairs after he went public with a critical vulnerability in Windows' HCP protocol only a few days after notifying Microsoft about it.
Adobe is often maligned for the number of vulnerabilities in its software. Of course, one could argue that the prevalence of Adobe software has made it one of the most targeted 3rd party software vendor and there is little it can do to change that, but the fact is that the San Jose-based company has been leisurely in addressing security concerns.
If Adobe is the least bit worried about Apple's refusal to incorporate Flash support into its product line, the company is holding steady a pretty convincing poker face. Check out what Adobe CEO Shantanu Narayen recently said about the whole ordeal.
"Apple made some statements about the suitability of our technology for mobile devices," Narayen starts off. "I think we’ve proven that the technology is not only suitable but it actually significantly enhances the value on these mobile devices. They’ve chosen to keep their system closed and we’d rather work with partners who are interested in working with us. We believe in open systems. We believe in the power of the Internet and in customers making choices and I think a lot of the controversy was about their decision at that point. They’ve made their choice. We’ve made ours and we’ve moved on. It’s a business decision. With the energy and innovation that our company has, we’d rather focus on people who want to deliver the best experience with Flash and there are so many of them."
Bolded text is our emphasis, not Narayan's, but it might as well have been his. Call us naive, but Adobe actually sounds believable in its stance this time around, which hasn't always been the case since this feud began.
Call it the Swiss cheese of software if you will, but Adobe this week managed to idenfity no less than six vulnerabilities in its Flash Player platform affecting versions 10.1.53.64 and earlier.
"These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system," Adobe warns in a security bulletin.
This is the third round of updates for Adobe's Flash Player so far in 2010, which is found on an estimated 99 percent of PCs. Earlier updates in March and June plugged up another 33 security holes, bringing the total to 39 for the year.
Going forward, Adobe might switch to a quarterly schedule and pre-patch warning system, like it does with its Reader and Acrobat software.
Lightroom is tailored for photographers who often don’t need or want the robust image-manipulation tools offered by the pricier Photoshop. From its outset, Lightroom presented photographers with a logical, clean workflow that facilitated photo improvements rather than alterations.
Lightroom 2 added 64-bit support and some refinements—welcome, certainly, but the second version didn’t seem like much more than an incremental update. Lightroom 3, on the other hand, adds a couple of killer features—lens correction and improved noise reduction, namely—that really boost its worth.
Research in Motion (RIM) this week unveiled its BlackBerry Torch 9800 smartphone, the first phone to run RIM's new BlackBerry 6 OS. Not among the supported features, however, is Flash support.
Unlike Apple, which refuses to work with Adobe in porting Flash over to its smartphones, RIM has real interest in running Adobe's multimedia platform, at least once the kinks are worked out.
"What's really important... is to get it right. Flash and Flash video have very specific hardware, CPU, and memory requirements," said Tyler Lessard, vice president of global alliances and developer relations at RIM.
"We don't want to deliver an experience that users are going to get really excited about -- perhaps buy a new device just because it supports Flash -- and then find it doesn't work as they hoped it to," he said.
Given that the two companies announced last October that they were working together to bring Flash to BlackBerry devices, it's a little surprising they couldn't get it down in time for the Torch 9800 launch. And while it would appear that support is imminent, neither side is willing to give a time frame.
Adobe announced it has entered into a definitive agreement to acquire Day Software, a move the company says is intended to strengthen its enterprise software solutions on the Web.
"Adobe’s acquisition of Day represents a key milestone in our efforts toward delivering best-in-class customer experience management solutions to enterprises and governments worldwide," said Rob Tarkoff, senior vice president and general manager, Digital Enterprise Solutions, Adobe. "With the addition of Day to our enterprise portfolio, we will be able to enhance the value of our offering and deliver on our vision of the web as the hub of customer interaction."
The two companies will operate as a product line within Adobe's Digital Enteprise Solutions Business Unit, with Day CEO Erik Hansen joining Adobe and reporting directly to Rob Tarkoff, Adobe said.
"We are excited to join Adobe and combine our expertise in WCM with technologies that create and deliver rich online and offline experiences leveraging the ubiquity of Flash and PDF," Hansen added. "We believe this is a winning combination for both Adobe and Day customers."
Adobe has given us a peek at a peer-to-peer video calling system on Android that uses the cross-platform Adobe Integrated Runtime (AIR). The name of the app is, get ready for it, FlashTime. Yeah, take that Apple. The app has direct access to the camera hardware just as a standard app would, and works much as Apple's FaceTime service does. The system uses Adobe's Stratus servers to connect two devices (in this case Nexus Ones).
The point here doesn't seem to be to show something completely new, as Android users already have apps like Fring and Qik to make video calls. Adobe is just showing what their Flash products can do on mobile phones. The FlashTime app will presumably be easy to port to other platforms on which Flash is available.
This isn't going to help to patch things up between Apple and Adobe, but maybe in this brave new world, Adobe can get by without the iPhone. If there were a reliable cross-platform video chat app like FlashTime on your phone, would you use it?
M86 Security Labs released a list of the top 15 most observed vulnerabilities for the first half of 2010 and, surprise-surprise, Adobe Acrobat & Adobe Reader (No. 1) and Microsoft Internet Explorer (No. 2) took the top two spots.
It wasn't enough to just take the top spots, Adobe Reader and Microsoft IE overachieved (underachieved?) by claiming nine out of the 15 slots, with four of them belonging to Adobe and five for Microsoft.
The list also indicates a growing focus on exploiting Java-based vulnerabilities.
"Java is the next low-hanging fruit for attackers," says Marc Maiffret, chief technology officer at eEye Digital Security.
In his tirade against Adobe's Flash platform, one of the reasons Steve Jobs says Apple doesn't allow the popular plug-in to run on Apple's iPhones, iPods, and iPads is because "Flash has not performed well on mobile devices." In fact, Steve Jobs claims his Cupertino company has "routinely asked Adobe to show us [Apple] Flash performing well on a mobile device, any mobile device, for a few years now." Anyone think a demo of Flash running smooth on the iPad would change his mind?
Probably not, but that didn't stop iPhone hacker "comex" from demonstrating it anyway. This is the same guy who developed the Spirit untethered jailbreak tool for the iPhone, iPad, and iPod touch, and now he's gone and ported a version of Adobe Flash runtime for Android to run on the iPad using a compatibility layer, which he's calling "Frash."
"Frash can currently run most Flash programs natively in the MobileSafari browser," reads a description of the YouTube video showing Frash in action. "Frash currently only runs on the iPad, but support for other devices (3GS+ only due to technical restrictions" is planned, as well as support for iOS 4."
Comex says he'll release Frash when it's fully stable, and in the meantime, "developers are welcome to join the effort at http://github.com/comex/frash -- fork it an send a pull request with your patches."
After 9.5 versions of Photoshop (Windows wasn’t supported until PS 2.5) it’s easy to become jaded about Adobe’s stalwart photo editor. Fortunately, Photoshop CS5 gives us something to get worked up about all over again.
Packing more than 250 new features, Photoshop CS5 is an amazing upgrade capable of performing a wide range of tasks we’ve never seen before, while simultaneously simplifying the trademark tasks we’ve come to know and love.