Adobe on Monday issued another security advisory warning users of yet another zero-day bug in its software. This is the second time this month that the San Jose-based software developer has warned of a critical bug that is reportedly being exploited in the wild. While the first advisory, issued only a few days ago, warned of a critical bug in Reader and Acrobat, the latest warning pertains to a critical vulnerability in its Flash player.
“A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh,” the bug-inured company warned in the advisory.
“This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.”
The company expects to provide patches for both the vulnerabilities within the next three weeks.
Don't expect Adobe to give up on its Flash platform any time soon. Adobe is as enthused about Flash as it ever was, but that doesn't mean the company is going to ignore the whole HTML5 thing, either. On the contrary, Adobe just went and released an add-on pack for its Illustrator software that converts it into an HTML5 authoring tool. Here are some of the highlights:
Export named character styles as CSS
Export artwork appearances as CSS
Included selected Graphic Styles as CSS in SVG
Created parametrized SVG (vector graphics tagged with variables)
Create multiple-screen SVG (leveraging media queries to serve up design variations)
According to Adobe, most of the creations designed with the add-on pack will work in Chrome, Firefox, and Safari, and will probably be compatible with Internet Explorer 9.
"I'm curious to see whether this news makes it onto the Mac sites that've beaten Adobe up for a perceived lack of enthusiasm about HTML5 (tough, as it just doesn't fit that sterile, stupid narrative)," John Nack, Principal Product Manger, Adobe Photoshop, wrote in a blog post. "The funny thing is that these changes build on the SVG support that Illustrator has been shipping for ten years. Sometimes it just takes a while for the world to catch up."
We guess that Apple-induced chip on Adobe's shoulder is still there.
We know it's hard to believe, but your Adobe Reader and/or Acrobat software is in need of some patching. That's according to Adobe, which is warning users of a critical vulnerability affecting Reader and Acrobat versions 9.3.4 and earlier.
That's the bad news. The even even worse news is that the vulnerability, when exploited, could crash your machine and potentially allow an attacker to seize control, Adobe says. And the really bad news is that this vulnerability is being actively exploited in the wild.
Ready for the good news? Not so fast, we haven't covered the no-good terrible news. This nasty security hole -- the one the bad guys know about and are currently exploiting -- can't yet be plugged, though if it's any consolation, Adobe promises it's "in the process of evaluating the schedule for an update to resolve this vulnerability." Comforting, isn't it?
Alright, we're finally ready for some good news, and here it is. You don't have to use Adobe products to read those PDF files. One of our favorite free alternatives is Foxit's free Reader program available here.
What do you use to read PDF documents? Hit the jump and let us know.
The said bug, which can be exploited using a special TrueType font, can be used to execute arbitrary code. According to Miller, Adobe first learnt of the vulnerability from Google security engineer Tavis Ormandy. "Apparently @taviso previously reported to Adobe the Reader 0-day I dropped at BH. Haha, ruined his effort at trying to be responsible," Miller quipped in a Tweet Tuesday.
Tavis Ormandy was recently in the crosshairs after he went public with a critical vulnerability in Windows' HCP protocol only a few days after notifying Microsoft about it.
Adobe is often maligned for the number of vulnerabilities in its software. Of course, one could argue that the prevalence of Adobe software has made it one of the most targeted 3rd party software vendor and there is little it can do to change that, but the fact is that the San Jose-based company has been leisurely in addressing security concerns.
If Adobe is the least bit worried about Apple's refusal to incorporate Flash support into its product line, the company is holding steady a pretty convincing poker face. Check out what Adobe CEO Shantanu Narayen recently said about the whole ordeal.
"Apple made some statements about the suitability of our technology for mobile devices," Narayen starts off. "I think we’ve proven that the technology is not only suitable but it actually significantly enhances the value on these mobile devices. They’ve chosen to keep their system closed and we’d rather work with partners who are interested in working with us. We believe in open systems. We believe in the power of the Internet and in customers making choices and I think a lot of the controversy was about their decision at that point. They’ve made their choice. We’ve made ours and we’ve moved on. It’s a business decision. With the energy and innovation that our company has, we’d rather focus on people who want to deliver the best experience with Flash and there are so many of them."
Bolded text is our emphasis, not Narayan's, but it might as well have been his. Call us naive, but Adobe actually sounds believable in its stance this time around, which hasn't always been the case since this feud began.
Call it the Swiss cheese of software if you will, but Adobe this week managed to idenfity no less than six vulnerabilities in its Flash Player platform affecting versions 10.1.53.64 and earlier.
"These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system," Adobe warns in a security bulletin.
This is the third round of updates for Adobe's Flash Player so far in 2010, which is found on an estimated 99 percent of PCs. Earlier updates in March and June plugged up another 33 security holes, bringing the total to 39 for the year.
Going forward, Adobe might switch to a quarterly schedule and pre-patch warning system, like it does with its Reader and Acrobat software.
Lightroom is tailored for photographers who often don’t need or want the robust image-manipulation tools offered by the pricier Photoshop. From its outset, Lightroom presented photographers with a logical, clean workflow that facilitated photo improvements rather than alterations.
Lightroom 2 added 64-bit support and some refinements—welcome, certainly, but the second version didn’t seem like much more than an incremental update. Lightroom 3, on the other hand, adds a couple of killer features—lens correction and improved noise reduction, namely—that really boost its worth.
Research in Motion (RIM) this week unveiled its BlackBerry Torch 9800 smartphone, the first phone to run RIM's new BlackBerry 6 OS. Not among the supported features, however, is Flash support.
Unlike Apple, which refuses to work with Adobe in porting Flash over to its smartphones, RIM has real interest in running Adobe's multimedia platform, at least once the kinks are worked out.
"What's really important... is to get it right. Flash and Flash video have very specific hardware, CPU, and memory requirements," said Tyler Lessard, vice president of global alliances and developer relations at RIM.
"We don't want to deliver an experience that users are going to get really excited about -- perhaps buy a new device just because it supports Flash -- and then find it doesn't work as they hoped it to," he said.
Given that the two companies announced last October that they were working together to bring Flash to BlackBerry devices, it's a little surprising they couldn't get it down in time for the Torch 9800 launch. And while it would appear that support is imminent, neither side is willing to give a time frame.
Adobe announced it has entered into a definitive agreement to acquire Day Software, a move the company says is intended to strengthen its enterprise software solutions on the Web.
"Adobe’s acquisition of Day represents a key milestone in our efforts toward delivering best-in-class customer experience management solutions to enterprises and governments worldwide," said Rob Tarkoff, senior vice president and general manager, Digital Enterprise Solutions, Adobe. "With the addition of Day to our enterprise portfolio, we will be able to enhance the value of our offering and deliver on our vision of the web as the hub of customer interaction."
The two companies will operate as a product line within Adobe's Digital Enteprise Solutions Business Unit, with Day CEO Erik Hansen joining Adobe and reporting directly to Rob Tarkoff, Adobe said.
"We are excited to join Adobe and combine our expertise in WCM with technologies that create and deliver rich online and offline experiences leveraging the ubiquity of Flash and PDF," Hansen added. "We believe this is a winning combination for both Adobe and Day customers."
Adobe has given us a peek at a peer-to-peer video calling system on Android that uses the cross-platform Adobe Integrated Runtime (AIR). The name of the app is, get ready for it, FlashTime. Yeah, take that Apple. The app has direct access to the camera hardware just as a standard app would, and works much as Apple's FaceTime service does. The system uses Adobe's Stratus servers to connect two devices (in this case Nexus Ones).
The point here doesn't seem to be to show something completely new, as Android users already have apps like Fring and Qik to make video calls. Adobe is just showing what their Flash products can do on mobile phones. The FlashTime app will presumably be easy to port to other platforms on which Flash is available.
This isn't going to help to patch things up between Apple and Adobe, but maybe in this brave new world, Adobe can get by without the iPhone. If there were a reliable cross-platform video chat app like FlashTime on your phone, would you use it?