MacInTouch Amazon link...
Channels
Security, News


Ric Ford

MacInTouch
And Adobe now has an update that's supposed to avoid its Mac hardware destruction bug:
The Verge said:
Adobe has fixed a Premiere Pro CC issue that blew some MacBook Pro speakers
On Friday, an Adobe representative confirmed in a reply on the forum that “a small number of users reports an issue in Premiere Pro that could affect the speakers in the latest MacBook Pro,” and pointed to a software patch.
 


Regarding the APSB19-13: Adobe Acrobat and Reader alert mentioned on the home page today: before users might panic that their Adobe software won't update, note that this update is only relevant for the latest Acrobat/Reader DC/2019 version on a Mac. Older versions on the Mac are not affected by this bug (according to Adobe).
 



Ric Ford

MacInTouch
More details on this week's Adobe Acrobat/Reader patch:
BleepingComputer said:
Adobe Patches Critical Information Disclosure Flaw in Reader, Again

... According to Mitja Kolsek, CEO of ACROS Security, the company behind the 0patch platform which issued a micropatch for the zero-day discovered by Inführ, both the original CVE 2019-7089 and the new CVE-2019-7815 have a similar impact to an issue reported by Check Point in 2018:
This vulnerability, similar to CVE-2018-4993, the so-called Bad-PDF reported by CheckPoint in April last year, allows a remote attacker to steal user's NTLM hash included in the SMB request. It also allows a document to "phone home", i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.
 



Adobe has updated the PPAPI and NPAPI Flash Players to version 32.0.0.270 - no notes yet on what security issue(s) they address.

The Release Notes for today's new versions of Adobe Flashplayer 32.0.0.270 aren't very helpful: "Assorted functional fixes". That's it, and this release doesn't appear on their list of security fixes in APSB19-46.
 


From Mashable, Adobe customers to be targets of phishing...
Mashable said:
Adobe exposed nearly 7.5 million Creative Cloud accounts to the public
The exposed user data for the nearly 7.5 million accounts included email addresses, the Adobe products they subscribed to, account creation date, subscription and payment status, local timezone, member ID, time of last login, and whether they were an Adobe employee. While no passwords or financial information such as credit card numbers were exposed, the data is sensitive enough to cause real problems for Creative Cloud users.
Never had this problem when I had a DVD to install from ;)
 


Ric Ford

MacInTouch
From Mashable, Adobe customers to be targets of phishing...
You just beat me to posting the news...
Comparitech said:
7 million Adobe Creative Cloud accounts exposed to the public
Nearly 7.5 million Adobe Creative Cloud user records were left exposed to anyone with a web browser, including email addresses, account information, and which Adobe products they use.

Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database. The Elasticsearch database could be accessed without a password or any other authentication.

Diachenko immediately notified Adobe on October 19 and the company secured the database on the same day.
 



You just beat me to posting the news...
Regardless of who posted it first, I'm just grateful that it was posted here, because who knows how long it would have been until I stumbled across it elsewhere?

Even though passwords offered no protection against this breach, I have taken the opportunity to update my old, yet already secure, password, and to enable the two-step verification that I hadn't known existed until now.
 


Ric Ford

MacInTouch
In addition to what's posted on the MacInTouch home page:
BleepingComputer said:
Adobe Patches Critical Remote Code Execution Bugs in Illustrator
Adobe released security updates to address security issues that could allow attackers to execute malicious code remotely, elevate privileges, and gain unauthorized access to information on systems running unpatched Illustrator, Animate CC, Bridge CC, and Media Encoder versions.

Of particular interest are the two critical memory corruption vulnerabilities that lead to remote code execution discovered in the Adobe Illustator software and tracked as CVE-2019-8247 and CVE-2019-8248.

Since the program is widely used and these security issues could enable attackers to execute code on vulnerable machines, Adobe strongly advises users to update as soon as possible to lock potential exploitation attempts.
 


Here's something I have found that is rather disturbing...

Adobe changed the minimum operating system requirements for Acrobat in the spring of 2019 and that also means the requirements for Reader - all versions of Acrobat and Reader from 2015 onwards now require a minimum of macOS 10.12. But, this is not obvious if you have the software already installed, and there are no warnings, so that leads to several potential security issues:

• Acrobat Pro/Reader 2015 is still supported with security updates until 7th April 2020, but if you already have it installed and are running OS X 10.11 or earlier you no longer get updates. You're stuck at v2015.006.30493 from 1st April 2019 - if you run the Updater (Help > Check for Updates…) it reports "Adobe Acrobat is already up to date" - no, it's not, it's out of date and insecure!

• Acrobat Pro/Reader 2017 is still supported with security updates until 6th June 2022, but if you already have it installed and are running OS X 10.11 or earlier, you no longer get updates . You're stuck at v2017.011.30138 from 1st April 2019 - if you run the Updater (Help > Check for Updates…) it reports "Adobe Acrobat is already up to date" - no it's not, it's out of date and insecure!

• Another scenario is that you could have paid for Acrobat Pro 2015, still be running OS X 10.11, assuming you will still get security updates for the product you paid for until 7th April 2020, but you don't - you're stuck on v2015.006.30493 from 1st April 2019 and you're product is now insecure.

• What's worse is that if you go to Adobe.com to download Acrobat Reader and choose the "Do you have a different language or operating system?" and select Mac OS Intel 10.11 > English, the site offers you v2019.010.20099 from 1st April 2019 - this version is insecure and no longer gets security updates but there is no warning of this anywhere when you download and install it. Adobe is essentially letting users download out of date and insecure software with no warning.

Once again, bad, BAD, Adobe! Grrrr.

P.S. Merry Christmas and a Happy New Year to Ric (thanks for all the hard work) and all of MacInTouch from me and MacStrategy.
 


... if you run the Updater (Help > Check for Updates…) it reports "Adobe Acrobat is already up to date" - no, it's not, it's out of date and insecure! ...
Older versions can be found at: site:
P.S. Merry Christmas and a Happy New Year to Ric (thanks for all the hard work) and all of MacInTouch from me and MacStrategy.
Ditto. Many thanks to Ric, Graham, and everyone else in this great community. Even though I've been doing Macs since 1986, I learn something new on MacInTouch every day.
 


Older versions can be found at: site:
Yes, older versions are available from Adobe's archives - the problem is that Adobe lets you download them with no warning at all about their insecurities.

Worse, they offer old, insecure versions via their normal Reader download page, which is one click from their home page and is the destination URL from all those "Get Acrobat Reader" buttons. And you will never know they are old and insecure because "checking for updates" within the application simply reports that the application is "already up to date"!

If you are running OS X 10.11 or earlier you can no longer rely on Adobe Acrobat/Reader to safely open PDF files on your Mac - the very latest vulnerabilities fixed in later versions include "Critical" Arbitrary Code Execution!

If you're running OS X 10.11 or earlier, unless you know the provenance of every PDF file that comes your way, I would highly recommend removing all versions of Adobe Acrobat/Reader.
 


... If you are running OS X 10.11 or earlier you can no longer rely on Adobe Acrobat/Reader to safely open PDF files on your Mac - the very latest vulnerabilities fixed in later versions include "Critical" Arbitrary Code Execution! If you're running OS X 10.11 or earlier, unless you know the provenance of every PDF file that comes your way, I would highly recommend removing all versions of Adobe Acrobat/Reader.
For those of us who use Preview for casual viewing of PDFs, is there word on its safety regarding the same/similar vulnerabilities?
 


For those of us who use Preview for casual viewing of PDFs, is there word on its safety regarding the same/similar vulnerabilities?
I don't have information on specific vulnerabilities in Preview*, but as older versions of macOS are unsupported with security updates, I would not use Preview to open PDFs of unknown origin on any unsupported OS - so, currently, that's macOS 10.12 or earlier.

Apple maintains a security updates list. Once a Preview PDF vulnerability is listed here, it won't be fixed in any unsupported OS – i.e., currently, macOS 10.12 or earlier.
 


if you run the Updater (Help > Check for Updates…) it reports "Adobe Acrobat is already up to date" - no, it's not, it's out of date and insecure!
Adobe has never shown respect to its customers. Last night, I was checking my daughter's laptop for a slowdown, and began reading a pdf file. There were gray bars and white bars showing up. Checked updates, and it responded with 'up to date'. Then I looked at the app: Reader 8, from 2013.
 


Adobe has never shown respect to its customers. Last night, I was checking my daughter's laptop for a slowdown, and began reading a pdf file. There were gray bars and white bars showing up. Checked updates, and it responded with 'up to date'. Then I looked at the app: Reader 8, from 2013.
I've seen the same thing. Adobe's automatic updates for Acrobat Reader install the latest patch level for the version you're running, but they don't upgrade you to the new version, even when it is free. At least that's been my experience.

So if you're running Adobe Acrobat Reader 8, you'll have the latest patches for 8, but it won't upgrade you to 9, X, XI or DC (which is what's current).
 


So if you're running Adobe Acrobat Reader 8, you'll have the latest patches for 8, but it won't upgrade you to 9, X, XI or DC (which is what's current).
Acrobat 2015, 2017 and 2019 (DC) are current. All now require macOS 10.12 or later to install/stay up to date.

Acrobat 2015 stops being current/supported on 7th April 2020.

Acrobat 2017 stops being current/supported on 6th June 2022.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts