Adobe

Adobe has fired back against Apple’s recent ban on building iPhone apps via Flash. And this time, Adobe’s not pulling any of punches. In a recent blog post on The Flash Blog, Adobe Platform Evangelist Lee Brimelow goes on the offensive for seven paragraphs, ripping into Apple’s recent change to its iPhone Developer Program License Agreement that only allows for applications to be written in Objective-C, C, C++ or Javascript and executed by the iPhone OS WebKit engine. In fact, the post was so strong that Adobe asked Brimelow to delete a segment. ...

Adobe has announced that it will release an updater along with Adobe Reader and Acrobat versions 9.3.2 and 8.2.2 on patch Tuesday next week. On the Adobe blog, Steve Gottwals wrote: “…we have been testing a new updater technology with select beta customers since our October 13, 2009 quarterly update. The purpose of the new updater is to keep end-users up-to-date in a much more streamlined and automated way. “During our quarterly update on January 12, 2010, and then again for an out-of-cycle update on February 16, 2010, we exercised the new updater with our beta testers. This allowed us to test a variety of network configurations encountered on the Internet in order to ensure a robust update experience. That beta process has been a successful one, and we’ve incorporated several positive changes to the end-user experience and system operation. Now, we’re ready for the next phase of deployment.” ...

Today, Apple revised its iPhone Developer Program License Agreement to effectively ban the use of the Flash-to-iPhone converter. Throughout 2010, Steve Jobs and Apple made it very clear that they do not like Adobe. At all. They prominently left Flash off the iPad, instead promoting HTML5 at every opportunity. For some time now, though, Adobe’s had a tool to circumvent Apple’s ban on Flash for the iPhone and iPad: the Adobe Creative Suite 5 Flash-to-iPhone converter, which would have allowed developers to create apps in Flash and then port them over into iPhone. ...

A spokesperson for Adobe told us that on the morning of April 12 at 11:00 a.m. EDT, the company will hold a global online launch event for all of the components of its Creative Suite 5. Among the most anticipated new components — or as Adobe tends to present them in its periodic table, “elements” — is a vastly improved HD video rendering engine called Mercury. Unlike other manufacturers, Adobe tends to retain the cool names for its products and platforms even after public release. Mercury will utilize the graphics processing power of video cards to expedite the decoding and playback of HD-encoded formats, especially for the Premiere Pro editor. ...

Malware authors use numerous unconventional techniques in their attempts to create malicious code that is not detected by antivirus software. As malicious code analysts, though, it is our job to analyze their creations, and as such we have to be constantly vigilant for the latest tricks that the malware authors employ. While looking at some PDFs yesterday, something suspicious caught my eye. The PDF file format supports compression and encoding of embedded data, and also allows multiple cascading filters to be specified so that multi-level compression and encoding of that data is possible. The PDF stream filters usually look something like this: ...

Didier Stevens, security professional and blogger, has found a “feature” in the PDF file format that makes it possible to package an executable in a PDF file which will run in Foxit PDF reader or run in Adobe Reader with a bit of social engineering. “With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).” ...

With Google owning YouTube, the Internet’s principal delivery system for Flash-based video, it was perhaps inevitable that the company would bundle the Flash plug-in with its Chrome browser. The announcement came today from both Google and the team developing the open source Chromium component on which Chrome is based. The move now officially places Google in contention with proponents of HTML 5, who had held out a glimmer of hope for a non-proprietary, non-plug-in video format for the standard’s new [VIDEO] element. In its blog post today, the Chromium team indirectly blamed the standards process for not having solved what it perceives as the problem of specifying how plug-ins should operate, and credits Mozilla — which makes Firefox — with helping to rectify that issue. ...

Hi folks, One of our researchers recently discovered that the Liberty exploit kit included a fairly new exploit from November 2009 … http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867 . The fact that there was something fairly new in terms of exploits was interesting to start with, but then we looked at the text on the exploit page…. Lehman Brothers?! Coffee Party??!! Holy Activists, Batman!!! It’s politically motivated!!!! Then we looked at the stats page (all these toolkits come with a sophisticated admin page), and saw that the top referrer was ad.yieldmanager.com! Holy Advertisers, Batman! Activists who know how to use exploit kits, _and_ the ad network!!! ...

First, make a note: after Adobe updates, restart your machine immediately to remove the Adobe Download Manger – it can be a vector for malcode. Now, back to our story. Aviv Raff has discovered a vulnerability with Adobe’s web site in combination with its Download Manager, an ActiveX script that is used to download updates for Reader and Flash. After a Reader or Flash update the download manager remains running on a user’s machine until it is rebooted. Malicious operators could exploit it to download their code of choice. ...

It’s Fat Tuesday — time for an Adobe Update. Adobe plans to release a security update for Adobe Reader and Acrobat later today. Read Security Advisory APSB10-07 for additional details.