Adobe goes on patching spree
In addition to an update for the Adobe Reader for Unix, Adobe has also published patches for holes in Form Designer, Form Client, ColdFusion, and LiveCycle Workflow.
In Form Designer and Form Client, the update remedies critical flaws that allowed attackers to inject malicious code by means of manipulated websites. The libraries FileDlg.dll and SvrCopy.dll provide ActiveX components in which buffer overflows can occur. US-CERT recommends setting the kill bit for the ClassIDs {00A2A192-4929-11D1-BA6C-080009D7FAD2} and {D10E546F-3AF9-11D1-BA6C-080009D7FAD2} if you do not want to switch off ActiveX in Internet Explorer entirely. Adobe has also published a patch that users of Form Designer 5.0 or Form Client 5.0 can install.
Other updates remedy cross-site scripting holes in ColdFusion MX 7, ColdFusion 8 and LiveCycle Workflow 6.2. Another update for ColdFusion fixes a flaw that prevented the software from logging failed login attempts, thereby making it easier for attackers to attempt to break in. Users of the applications affected should download and install these updates as soon as possible.
See also:
- Update available to resolve critical vulnerabilities in Adobe Form Designer 5.0 and Adobe Form Client 5.0 Components, Adobe security advisory
- Adobe Form Designer and Advanced Form Client ActiveX controls contain multiple buffer overflows, security advisory from US-CERT
- Update available for potential ColdFusion MX 7 and ColdFusion 8 Cross Site Scripting security issue, Adobe security advisory
- Update available for ColdFusion MX 7 and ColdFusion 8 Cross-Site Scripting issue, Adobe security advisory
- Update available for ColdFusion MX 7 and ColdFusion 8 logs invalid admin interface log-in attempts, Adobe security advisory
- Update available for potential LiveCycle Workflow 6.2 Cross Site Scripting security issue, Adobe security advisory
(mba)