Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: December 2011 Adobe Black Tuesday - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
December 2011 Adobe Black Tuesday

As expected, Microsoft wasn't alone with issuing patches today. In addition, Adobe released two bulletins affecting Flex and Cold Fusion. Both bulletins affect developer and server components, not commonly used client software.

APSB11-25: Cross Site Scripting issue in Flex SDK

The Adobe Flex SDK is used to create flash applets for web applications. The vulnerability fixed in this bulletin could lead to cross site scripting problems with these applications.

APSB11-29: Cross Site Scripting in ColdFusion

ColdFusion is a web application platform that may be hosted on Windows, Unix or OS X. This "hot fix" fixes a cross site scripting vulnerability in applications created with ColdFusion.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
Dec 13th 2011
Three notes:
* APSB11-25 was released on November 30. I was wondering for a while what was going to be in that bulletin, since it was released long after APSB11-26 (Sept 21), -27 (Nov 8), and -28 (Nov 10).
* We still haven't seen the Adobe Reader/Acrobat 9.4.7 update that should be out sometime this week.
* Still no word on the Flash 0-day.

Sign Up for Free or Log In to start participating in the conversation!