navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: End-Of-Life - but no updates available

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Adobe Systems
And, this specific program:
Adobe Illustrator CS4 14.x

This thread has been marked as locked.
DaleDoc1 End-Of-Life - but no updates available
Member 31st Jan, 2011 16:04
Ranking: 0
Posts: 4
User Since: 31st Jan, 2011
System Score: N/A
Location: US
Hello:

New to Secunia & this forum, so kindly excuse if I am posting in the wrong location (and mods please feel free to move this thread).

My problem seems to be identical to the issue here, but the thread is locked:
https://secunia.com/community/forum/thread/show/66...

Recently installed Secunia PSI 2.0 (latest build).
Scan turned up "EOL" for Adobe Illustrator CS4.
However, when checking for updates from within the program, there are no updates available.

I do know there was a security patch for I CS5 in Dec 2010, but this did not apply to I CS4. As I CS4 is part of the enormous CS4, for which reinstalling is a major PIA, I am reluctant to fix a "false positive" by trying to install a patch that isn't needed.

So, I have not yet tried to apply the patch, for fear of corrupting my CS4 installation.

So, why does PSI flag the program as EOL?

Is there any risk to trying to apply the patch, if it turns out not to be needed?

Please advise, and thank you in advance,

daledoc1



--
Thanks very much!
daledoc1

ddmarshall RE: End-Of-Life - but no updates available
Dedicated Contributor 31st Jan, 2011 16:13
Score: 1212
Posts: 968
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 31st Jan, 2011 16:17
End of Life is Secunia Speak for 'the manufacturer has stopped issuing patches for this product'. I can't point you to an Adobe statement about this; but there have been two CS5 updates since December without corresponding CS4 updates. These are library loading vulnerabilities and it seems unlikely that earlier versions are unaffected.

Trying to apply the CS5 patch to CS4 doesn't sound like a good idea. Use the Microsoft Fixit to block the load library vulnerability http://support.microsoft.com/kb/2264107

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+2
-0
DaleDoc1 RE: End-Of-Life - but no updates available
Member 31st Jan, 2011 16:46
Score: 0
Posts: 4
User Since: 31st Jan 2011
System Score: N/A
Location: US
Hello, ddm:

Thanks for your quick & helpful reply.

I saw that link to the MS KB article in the other thread, but, frankly, the steps looked a bit too complicated for me, esp. since I am squeamish reg edits (which I seem to recall it might have required).

Since I really don't use Illustrator at all, I think I will probably just "ignore" this particular vulnerability for now.
I hope to persuade my boss to allow me to upgrade my CS4 to CS5 soon, anyway.

BTW, as per the OP on the other thread about this, I don't find any indication that CS4 is truly EOL, and, as recently as a few months ago, they were still publishing patches for the many CS4 components (most often Acrobat, of course).
(I follow them at: http://blogs.adobe.com/psirt/)

Anyway, I do appreciate your most helpful advice.
I will look over that MS KB article and bookmark it, just in case.

I learned about PSI at another forum and have already recommended it to several folks.

Thanks very much!



--
Thanks very much!
daledoc1
Was this reply relevant?
+0
-0
ddmarshall RE: End-Of-Life - but no updates available
Dedicated Contributor 31st Jan, 2011 17:19
Score: 1212
Posts: 968
User Since: 8th Nov 2008
System Score: 98%
Location: UK
KB2264107 was pushed out with the January 11 security updates. To activate it you now just have to click the Fix-it-for-me button in the support article.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
tsimmons RE: End-Of-Life - but no updates available
Member 5th Feb, 2011 21:43
Score: 0
Posts: 2
User Since: 3rd Jun 2010
System Score: N/A
Location: US
Will applying the MS fix unflag it in PSI 2.0 or will PSI still flag it as a vulnerability?

Thanks &
Cheers,

Toby
Was this reply relevant?
+0
-0
ddmarshall RE: End-Of-Life - but no updates available
Dedicated Contributor 5th Feb, 2011 23:51
Score: 1212
Posts: 968
User Since: 8th Nov 2008
System Score: 98%
Location: UK
PSI will still flag it as vulnerable as nothing has changed in the application. The Microsoft workaround just changes the directories that Windows searches to find a DLL when the full path to the directory is not given. This prevents the exploitation of the vulnerability.

For End-of-life programs, consider using EMET http://www.microsoft.com/downloads/en/details.aspx... to prevent exploitation of vulnerabilities.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+