Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: end-of-life

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Adobe Systems
And, this specific program:
Adobe Illustrator CS4 14.x

This thread has been marked as locked.
quickjaw end-of-life
Member 6th Dec, 2010 19:21
Ranking: 0
Posts: 2
User Since: 27th Apr, 2009
System Score: N/A
Location: N/A
Last edited on 6th Dec, 2010 19:21

I have a problem with Adobe Illustrator CS4 and I'm not sure how to proceed.

Secunia is reporting it as end-of-life (which I find hard to believe) with the installation Path

C:\Program Files\Adobe\Adobe Illustrator CS4\Support Files\Contents\Windows\Illustrator.exe

The Extra information deals with an entirely different file - MPS.dll

-----
Extra Information / Known Issues with Adobe Illustrator CS4
In order to install the latest patch, please follow these instructions from adobe:
http://www.adobe.com/support/security/bulletins/ap...
-----

This is also the file that is downloaded after clicking the Download Solution Button.

That patch has already been applied - and I can find no information on the adobe site.

Any Thoughts, suggestions?

Jay Charland
jay@wcr.ab.ca

mogs RE: end-of-life
Expert Contributor 6th Dec, 2010 20:04
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Hello.
Don't know what version of psi you are using. Tho' Secunia is showing the program as End of Life......is there another entry in the Patched tab ? Very often the older version/file is not automatically removed and psi will continue to detect....even if in the Recycle bin.
Hope this helps......regards,

--
Was this reply relevant?
+0
-0
Anthony Wells RE: end-of-life
Expert Contributor 6th Dec, 2010 20:34
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 6th Dec, 2010 20:57
Hello Jay ,

Here is the last "unpatched/not fully patched" Secunia Advisory for Illustrator CS4 which has just been updated as of 06/12/2010 and states the need to update to version 15.0.2 :-

http://secunia.com/advisories/41134/

If Adobe have not got a 15.0.2 for I CS4 and have decided to make "it end of life" then it (I CS4) will stay un-patched and insecure .

The link in your thread is for a I CS4 version 14.0.0 patch dating to 07/01/2010 and probably not relevant provided it has been applied in the past .

Here is a list off all I CS4 SA's since 2003 :-

http://secunia.com/advisories/product/28054/?task=...

and with 41134 highlighted .

The only safe option would appear to be to update to I CS5 15.0.2 .

Does that explain things for your system .

Anthony

PS : I believe this type of vulnerability can be mitigated using this M$ tool :-

http://www.microsoft.com/downloads/en/details.aspx...

ddmarshall is the expert in this field , hopefully he might comment here ; this is an earlier thread from him on the subject :-

http://secunia.com/community/forum/thread/show/538...



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
ddmarshall RE: end-of-life
Dedicated Contributor 6th Dec, 2010 21:08
Score: 1211
Posts: 965
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 6th Dec, 2010 21:10
I've not seen anything about support for CS4 ending but Secunia should be better informed than I am.

There was a security update to CS5 last week without a corresponding update to CS4 and CS3. This was identified as a library-loading vulnerability. If the same issue affects CS4, it can be mitigated with KB2264107:
http://support.microsoft.com/kb/2264107 .

EMET is always worth experimenting with.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
Anthony Wells RE: end-of-life
Expert Contributor 6th Dec, 2010 21:24
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Thanks , ddm . An upgrade from I CS4 to 5 is about 200 bucks , so I'm sure Jay will value your advice .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Timma.Ampler RE: end-of-life
Member 6th Dec, 2010 22:17
Score: 0
Posts: 1
User Since: 6th Dec 2010
System Score: N/A
Location: US
Try to off your anti-virus software.
The problem is that the bulk of the population using the anti-virus software will see a vulnerability listed ten times, when there is only a real vulnerability once (for Illustrator). An order of magnitude more false positives than true positives in the alerting. Or, if the patch has already been applied (so Illustrator's MPS.dll file is no longer a threat), KAV will presumably not identify Illustrator's MPS.dll file as a threat, then falsely alert users about nine other MPS.dll files. It encourages people to ignore these warnings altogether as rarely being real.
Was this reply relevant?
+0
-0
mogs RE: end-of-life
Expert Contributor 7th Dec, 2010 09:18
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK

Thought the following might be of interest :-

Binary Planting Vulnerability Fixed in Adobe Illustrator CS5

December 6th, 2010, 16:48 GMT| By Lucian Constantin



A security and stability update has been released for Adobe Illustrator CS5, fixing a DLL preloading vulnerability which could be exploited to execute arbitrary code.

Also known as DLL hijacking, binary planting or DLL side loading, this type of vulnerability stems from the use of an insecure search path by some library loading functions.

When a DLL is called by a program without specifying its full path, the operating system automatically searches for it in a series of predefined places in order.

The DLL call usually happens when a particular action is performed in the program, such as opening a certain file, and in many cases, the working directory takes precedence in the search path.

This type of weakness began being publicly discussed a few months back and hundreds of applications, including some of the most popular ones, were deemed vulnerable.

Some of them called a Vista or 7-only DLL when running on Windows XP, which allowed for a rogue file with the same name to be placed in the working dir and get executed.

Since files can be loaded directly from network shares or WebDAV resources, this arbitrary code execution condition also has a remote attack vector.

The vulnerability in Adobe Illustrator CS5 is identified as CVE-2010-3152 and Adobe rates it as “important.” Users of Illustrator CS 15.0.1 or earlier are strongly advised to install the 15.0.2 update as soon as possible.

In addition to the security content, this update contains a series of other bug fixes as well. These are as follows:

- PSD files lose saturation of spot colors when imported into AiCS5
- Performance problems when guides are set to dot
- Acrobat 10 documents with passwords fail to open
- Improved precision with DXF import
- Links are broken in legacy formats when image name contains Japanese characters for voiced sound marks
- Rounded Corner Edges that curved inside flipped to curve outside
- Non-Specific Crash when opening or closing files

Adobe Illustrator CS5 15.0.2 update can be downloaded from here.
See here :-
http://news.softpedia.com/news/Binary-Planting-Vul...

--
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer