Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book General > General Discussions

Notices

Reply
 
Thread Tools Search this Thread
Old 03-08-2016, 06:52 PM   #1
bookmarked
Addict
bookmarked ought to be getting tired of karma fortunes by now.bookmarked ought to be getting tired of karma fortunes by now.bookmarked ought to be getting tired of karma fortunes by now.bookmarked ought to be getting tired of karma fortunes by now.bookmarked ought to be getting tired of karma fortunes by now.bookmarked ought to be getting tired of karma fortunes by now.bookmarked ought to be getting tired of karma fortunes by now.bookmarked ought to be getting tired of karma fortunes by now.bookmarked ought to be getting tired of karma fortunes by now.bookmarked ought to be getting tired of karma fortunes by now.bookmarked ought to be getting tired of karma fortunes by now.
 
Posts: 251
Karma: 4188788
Join Date: Nov 2012
Location: US
Device: Kindle 4 NT, Nexus 7, iPod Touch 4, HP TouchPad
ADE Security Update & Security of Old Versions

Today Adobe published a security bulletin and updates for ADE (Adobe Digital Editions). This issue affects "Adobe Digital Editions 4.5.0 and earlier versions" on Windows, Macintosh, iOS and Android. Adobe is categorizing this as a Critical vulnerability ("A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware."), but with a low priority since, unlike Flash and Reader, ADE is not commonly targeted by malware.

Spoiler:
Quote:
Adobe Security Bulletin
Security update available for Adobe Digital Editions

Release date: March 8, 2016

Vulnerability identifier: APSB16-06

Priority: 3

CVE number: CVE-2016-0954

Platform: Windows, Macintosh, iOS and Android
Summary

Adobe has released a security update for Adobe Digital Editions 4.5.0 and earlier versions. This update resolves a critical memory corruption vulnerability that could lead to code execution.
Affected versions
Product Affected version Platform
Adobe Digital Editions 4.5.0 and earlier versions Windows, Macintosh, iOS and Android
Solution

Adobe categorizes this update with the following priority ratings and recommends users update their installation to the newest version:
Product Updated version Platform Priority rating Availability
Windows
3 Download Page
Adobe Digital Editions 4.5.1 Macintosh 3 Download Page
iOS 3 iTunes
Android 3 Playstore

Customers using Adobe Digital Editions 4.5.0 on Windows can download the update from the Adobe Digital Editions download page, or utilize the product’s update mechanism when prompted. Customers using Digital Editions for iOS and Android can download the update from the respective app store.

For more information, please reference the release notes.
Vulnerability Details

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2016-0954).
Acknowledgments

Adobe would like to thank Pier-Luc Maltais of COSIG (CVE-2016-0954) for reporting this issue and for working with Adobe to help protect our customers.


It appears that details on the vulnerability are being withheld until people have a chance to install the updated version of ADE (4.5.1). The CVE database still says this CVE number is "reserved." So, I'm not quite sure if "earlier versions" includes all older versions or just older versions of ADE 4.x.

This brings me to my question. IIRC, many of you have been holding off on upgrading beyond ADE 2.01 because of DRM issues with ADE 3 and newer. If that's correct, what are you doing to protect yourselves from security problems with the older versions?

Adobe doesn't list very many ADE vulnerabilities, Security Bulletins and Advisories - Adobe Digital Editions, but this bulletin shows a vulnerability in ADE 2.01 on Windows and Mac which is fixed in ADE 3. The oldest bulletin listed is for ADE 2.0.0 which is fixed by 2.0.1, so I'm not sure about any problems with 1.7.x.

The only thing I can think of to be safe with older versions is to change the settings in my browsers and operating systems so that ADE doesn't automatically open ACSM, PDF, and epub files. Any other ideas?
bookmarked is offline   Reply With Quote
Old 03-08-2016, 06:55 PM   #2
JSWolf
Resident Curmudgeon
JSWolf ought to be getting tired of karma fortunes by now.JSWolf ought to be getting tired of karma fortunes by now.JSWolf ought to be getting tired of karma fortunes by now.JSWolf ought to be getting tired of karma fortunes by now.JSWolf ought to be getting tired of karma fortunes by now.JSWolf ought to be getting tired of karma fortunes by now.JSWolf ought to be getting tired of karma fortunes by now.JSWolf ought to be getting tired of karma fortunes by now.JSWolf ought to be getting tired of karma fortunes by now.JSWolf ought to be getting tired of karma fortunes by now.JSWolf ought to be getting tired of karma fortunes by now.
 
JSWolf's Avatar
 
Posts: 54,039
Karma: 50774064
Join Date: Nov 2006
Location: Roslindale, Massachusetts
Device: Kobo Aura H2O, Sony PRS-650, Sony PRS-T1, nook STR, iPad 4, iPhone 5
You are worrying about nothing. I've been using ADE 2.0.1 for a long time and I've never had an issue. I only download ACSM from bookstores and Overdrive. So just stick with 2.0.1and you'll be fine. DO not go with any version later than 2.0.1 or you could possibly be screwed by the DRM.
JSWolf is offline   Reply With Quote
Advert
Old 03-09-2016, 01:08 AM   #3
GeoffR
Wizard
GeoffR ought to be getting tired of karma fortunes by now.GeoffR ought to be getting tired of karma fortunes by now.GeoffR ought to be getting tired of karma fortunes by now.GeoffR ought to be getting tired of karma fortunes by now.GeoffR ought to be getting tired of karma fortunes by now.GeoffR ought to be getting tired of karma fortunes by now.GeoffR ought to be getting tired of karma fortunes by now.GeoffR ought to be getting tired of karma fortunes by now.GeoffR ought to be getting tired of karma fortunes by now.GeoffR ought to be getting tired of karma fortunes by now.GeoffR ought to be getting tired of karma fortunes by now.
 
GeoffR's Avatar
 
Posts: 3,821
Karma: 19159830
Join Date: Nov 2012
Location: Te Riu-a-Māui
Device: Kobo Glo
Quote:
Originally Posted by bookmarked View Post
The only thing I can think of to be safe with older versions is to change the settings in my browsers and operating systems so that ADE doesn't automatically open ACSM, PDF, and epub files. Any other ideas?
Since it is a vulnerability that allows code to be executed, I would treat every file that ADE opens as if I was running an executable. I.e. don't use it to open books that come from untrusted sources.

I wouldn't rely on retailers/distributors checking whether the books they sell contain malicious code, so that means I would also need to trust the original publisher/creator of the book.
GeoffR is offline   Reply With Quote
Old 03-09-2016, 01:29 PM   #4
Purple Lady
Grand Sorcerer
Purple Lady ought to be getting tired of karma fortunes by now.Purple Lady ought to be getting tired of karma fortunes by now.Purple Lady ought to be getting tired of karma fortunes by now.Purple Lady ought to be getting tired of karma fortunes by now.Purple Lady ought to be getting tired of karma fortunes by now.Purple Lady ought to be getting tired of karma fortunes by now.Purple Lady ought to be getting tired of karma fortunes by now.Purple Lady ought to be getting tired of karma fortunes by now.Purple Lady ought to be getting tired of karma fortunes by now.Purple Lady ought to be getting tired of karma fortunes by now.Purple Lady ought to be getting tired of karma fortunes by now.
 
Purple Lady's Avatar
 
Posts: 5,681
Karma: 16542228
Join Date: Feb 2010
Location: Pennsylvania
Device: Huawei MediaPad M5, LG V30, Boyue T80S, Nexus 7 LTE, K3 3G, Fire HD8
I'm sticking with 2.0.1 because I don't want to worry about the new drm. I don't trust Adobe at all - how do I know there really is a risk? They could be trying to scare people into downloading the new version. Does this bug exist in 2.0.1 or was it introduced in later versions?
Purple Lady is offline   Reply With Quote
Old 03-09-2016, 01:33 PM   #5
DiapDealer
Grand Sorcerer
DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.DiapDealer ought to be getting tired of karma fortunes by now.
 
DiapDealer's Avatar
 
Posts: 21,216
Karma: 115533574
Join Date: Jan 2010
Device: Nexus 7, Kindle Fire HD
I will staunchly refuse to worry about any ADE vulnerabilities. Much easier that way.
DiapDealer is offline   Reply With Quote
Advert
Old 03-09-2016, 02:42 PM   #6
AnemicOak
Bookaholic
AnemicOak ought to be getting tired of karma fortunes by now.AnemicOak ought to be getting tired of karma fortunes by now.AnemicOak ought to be getting tired of karma fortunes by now.AnemicOak ought to be getting tired of karma fortunes by now.AnemicOak ought to be getting tired of karma fortunes by now.AnemicOak ought to be getting tired of karma fortunes by now.AnemicOak ought to be getting tired of karma fortunes by now.AnemicOak ought to be getting tired of karma fortunes by now.AnemicOak ought to be getting tired of karma fortunes by now.AnemicOak ought to be getting tired of karma fortunes by now.AnemicOak ought to be getting tired of karma fortunes by now.
 
AnemicOak's Avatar
 
Posts: 14,376
Karma: 54969924
Join Date: Oct 2007
Location: Minnesota
Device: iPad Mini 4, AuraHD, iPhone XR +
Quote:
Originally Posted by DiapDealer View Post
I will staunchly refuse to worry about any ADE vulnerabilities. Much easier that way.
AnemicOak is offline   Reply With Quote
Old 03-09-2016, 02:52 PM   #7
eschwartz
Ex-Helpdesk Junkie
eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.
 
eschwartz's Avatar
 
Posts: 19,326
Karma: 83238367
Join Date: Nov 2012
Location: The Beaten Path, USA, Roundworld, This Side of Infinity
Device: Kindle Touch fw5.3.7 (Wifi only)
Quote:
Originally Posted by DiapDealer View Post
I will staunchly refuse to worry about any ADE vulnerabilities. Much easier that way.
eschwartz is offline   Reply With Quote
Old 03-09-2016, 04:18 PM   #8
Fbone
Is that a sandwich?
Fbone ought to be getting tired of karma fortunes by now.Fbone ought to be getting tired of karma fortunes by now.Fbone ought to be getting tired of karma fortunes by now.Fbone ought to be getting tired of karma fortunes by now.Fbone ought to be getting tired of karma fortunes by now.Fbone ought to be getting tired of karma fortunes by now.Fbone ought to be getting tired of karma fortunes by now.Fbone ought to be getting tired of karma fortunes by now.Fbone ought to be getting tired of karma fortunes by now.Fbone ought to be getting tired of karma fortunes by now.Fbone ought to be getting tired of karma fortunes by now.
 
Posts: 7,601
Karma: 92830572
Join Date: Jun 2010
Device: Searching ...
Off topic.

I just received notice my credit card was compromised again! This is the 5th time in less than a year. So, I've long realized that nothing is secure and we are all vulnerable.
Fbone is offline   Reply With Quote
Old 03-09-2016, 06:53 PM   #9
pidgeon92
Wizard
pidgeon92 ought to be getting tired of karma fortunes by now.pidgeon92 ought to be getting tired of karma fortunes by now.pidgeon92 ought to be getting tired of karma fortunes by now.pidgeon92 ought to be getting tired of karma fortunes by now.pidgeon92 ought to be getting tired of karma fortunes by now.pidgeon92 ought to be getting tired of karma fortunes by now.pidgeon92 ought to be getting tired of karma fortunes by now.pidgeon92 ought to be getting tired of karma fortunes by now.pidgeon92 ought to be getting tired of karma fortunes by now.pidgeon92 ought to be getting tired of karma fortunes by now.pidgeon92 ought to be getting tired of karma fortunes by now.
 
pidgeon92's Avatar
 
Posts: 3,145
Karma: 8426142
Join Date: Jun 2008
Location: Chicago, IL
Device: Kindle PW2, Kindle Voyage, Kindle DXG, Boox M90, Kobo Aura HD
Quote:
Originally Posted by Fbone View Post
Off topic.

I just received notice my credit card was compromised again! This is the 5th time in less than a year. So, I've long realized that nothing is secure and we are all vulnerable.
I've had this happen three or four times in the last several years. I now have all of my bank apps set to message me whenever any charge hits any of my cards. I get the ding on my Apple watch and iPhone almost immediately when I make a purchase. I did the same with my dad's Mastercard, and it got hit a couple of months ago. I was able to call the issuing bank and cancel the card immediately after receiving notification of a purchase I know he would not have made.
pidgeon92 is offline   Reply With Quote
Old 03-09-2016, 10:40 PM   #10
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 35,468
Karma: 12737927
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
The standard way to run known insecure software is to run it inside a virtual machine created specifically for it. Make a snapshot of the machine state before the first time you run the software. Then after you finish using the software restore the VM snapshot.

While that is not 100% secure (it's possible for virtual machines to have security bugs allowing code to escape the virtual machine) it does make it much harder for malicious code to cause any damage.
kovidgoyal is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
content server - port forwarding & security kiwipippa Calibre 4 09-17-2011 02:55 PM
iPad BoingBoing: Report: AT&T security breach exposed 114k iPad users kjk Apple Devices 9 06-14-2010 01:09 AM
Security. ruibittencourt Workshop 30 03-05-2009 01:37 AM


All times are GMT -4. The time now is 12:50 PM.


MobileRead.com is a privately owned, operated and funded community.