Adobe Releases Security Updates for Multiple Products

Original release date: June 16, 2015

Adobe has released security updates for Adobe Photoshop Creative Cloud (CC) and Bridge CC to address multiple vulnerabilities. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Adobe Security Bulletins APSB15-12 and APSB15-13 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Adobe Releases Security Updates for Multiple Products

Original release date: June 16, 2015

Adobe has released security updates for Adobe Photoshop Creative Cloud (CC) and Bridge CC to address multiple vulnerabilities. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Adobe Security Bulletins APSB15-12 and APSB15-13 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


New exploit turns Samsung Galaxy phones into remote bugging devices

As many as 600 million Samsung phones may be vulnerable to attacks that allow hackers to surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps, a security researcher said.

The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, a third-party keyboard app that comes pre-installed on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don't encrypt the executable file, making it possible for attackers in a position to modify upstream traffic—such as those on the same Wi-Fi network—to replace the legitimate file with a malicious payload. The exploit was demonstrated Tuesday at the Blackhat security conference in London by Ryan Welton, a researcher with security firm NowSecure. A video of his exploit is here.

SamsungKeyboardExploit

Phones that come pre-installed with the Samsung IME keyboard, as the Samsung markets its customized version of SwiftKey, periodically query an authorized server to see if updates are available for the keyboard app or any language packs that accompany it. Attackers in a man-in-the-middle position can impersonate the server and send a response that includes a malicious payload that's injected into a language pack update. Because Samsung phones grant extraordinarily elevated privileges to the updates, the malicious payload is able to bypass protections built into Google's Android operating system that normally limit the access third-party apps have over the device.

Read 5 remaining paragraphs | Comments

Google extends vulnerability bounties to Android; offers up to $30,000

Google's "Vulnerability Reward Program" has been incentivizing people to report security bugs to the tech giant for its Web services, apps, extensions, Chrome, and Chrome OS for some time now. Today the company announced that it's extending the cash-for-bugs program to its biggest operating system: Android.

The program doesn't cover any Android device, just new devices that Google is 100% responsible for: current, for sale, Nexus devices. For now, that means the Nexus 6 and Nexus 9. Google says that this "makes Nexus the first major line of mobile devices to offer an ongoing vulnerability rewards program."

Google will pay researchers not only for bug disclosures—it offers additional rewards tiers for test cases submitted with the bug, CTS tests that catch the bug, and AOSP patches that fix the bug. "CTS" is Android's "Compatibility Test Suite," the continually updated battery of tests all devices must pass in order to gain access to the Google Play Store. CTS tests ensure that a device and its software are Android-compatible and free of known vulnerabilities, ensure platform API correctness, and follow Google's mandatory (and minimal) UI practices for readability and consistency.

Read 2 remaining paragraphs | Comments