1 Reply Latest reply on Feb 16, 2010 11:07 PM by Skullmaker

    Security of Security Bulletin Update APSB10-01

    stevespence@msn.com

      I'm afraid that I don't use Illustrator that often, so when I saw this bulletin ( http://www.adobe.com/support/security/bulletins/apsb10-01.html), I put off doing anything about it until today.  When I went to go through the process, several things surprised me:

       

      • Why wasn't this handled through the regular update process?  Was it because of the need to delete preferences?
      • There is no way to authenticate/validate/verify the file.  Specifically, neither the downloadable zip file nor the mss.dll file itself were digitally signed and no md5 or sha sums were posted to allow you to make sure the file had not been tampered with.

       

      Given that the whole point of the bulletin was to patch AI to close a hole allowing the possibility of "arbitrary code execution" by someone with malicious intent, isn't it strange not to provide a way of making sure that you aren't going to actively install malicious code yourself, particularly since you have to have administrator rights to do the installation?

       

      Please tell me what I'm missing or how I can pass this concern on to the good people at Adobe.  Installing un-authenticated code downloaded from a link on a web page makes my skin crawl!

       

      Thank you.