The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Microsoft Malware Protection Engine Update: Microsoft has pushed out an update to its Malware Protection Engine. The update addresses a vulnerability that could allow a user with limited privileges to elevate those privileges and take full control of a vulnerable computer. The Microsoft Malware Protection Engine is a part of several Microsoft anti-malware products; the update to the Microsoft Malware Protection Engine is installed along with the updated malware definitions for the affected products. Readers following the recommended procedure of having Microsoft’s auto-updates turned on need take no additional action as the update will be automatically installed. Auto-update settings can be checked in the Control Panel.
WordPress Updates: WordPress has released version 3.1 which patches a number of security vulnerabilities. Several WordPress plugins have also been updated. Readers with websites developed using this popular content management system will want to alert their web developers to upgrade WordPress and also make sure they are running the most recent plugins.
Important Vulnerabilities.
CA Internet Security Suite: Highly critical security vulnerabilities have been found in versions 6.x and 7.x of this popular all-in-one security program. These vulnerabilities can be exploited remotely by malicious people to take remote control of a user’s system. CA has not announced a patch for this program. CA did release an upgrade to version 8.x of its corporate Host-Based Intrusion Prevention System—which suffered from similar vulnerabilities—leading one to suspect that CA will soon have an upgrade to its Internet Security Suite.
Internet Explorer 8.x: We continue to consider Internet Explorer 8.x unsafe for browsing. IE8 has been on our vulnerability list since January 28 and is likely to remain there until Patch Tuesday, March 8.
Apple Safari 5.x: A vulnerability in Safari 5.x first identified last June continues unpatched. We continue to consider Safari unsafe for browsing.
Microsoft Office: The critical vulnerabilities in Microsoft products including Office, Excel, and PowerPoint remain unpatched.
AOL: The zero-day vulnerability in the way AOL handles Rich Text Files remains unpatched.
HTC Mobile Devices: The security issues in the default Twitter application (Peep) in HTC products remain unpatched.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Sun Java: Sun has released a new version of its Java program. The update contains 21 security fixes including the ones we wrote about last week. Windows users can get the update by clicking the Update tab from the Java entry in the Windows control panel (classic view). Mac users will need to wait until Apple releases a separate update to fix these flaws on OS X because the company maintains its own version of Java.
Since Java is a favorite target for cyber criminals and is rarely needed, you might want to consider removing or disabling it. You can always reinstall it if you discover you need it. (To get an idea of just how bad Java is, see Brian Krebs’ many stories on his blog, KrebsOnSecurity.)
You can remove Java by clicking on “Programs and Features” in the classic Control Panel or “uninstall a program” in Control Panel Home. You can also disable Java in Firefox by going to “Tools/Add-Ons/Plugins.” Since Firefox is my default browser, this is what I’ve done.
Important Vulnerabilities.
Internet Explorer 8.x: We continue to consider Internet Explorer 8.x unsafe for browsing. IE8 has been on our vulnerability list since January 28 and is likely to remain there until Patch Tuesday, March 8.
Apple Safari 5.x: A vulnerability in Safari 5.x first identified last June continues unpatched. We continue to consider Safari unsafe for browsing.
Microsoft Office: The critical vulnerabilities in Microsoft products including Office, Excel, and PowerPoint remain unpatched.
AOL: The zero-day vulnerability in the way AOL handles Rich Text Files remains unpatched.
HTC Mobile Devices: The security issues in the default Twitter application (Peep) in HTC products remain unpatched.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Last April, CIA Director Leon Panetta warned that the US’s next ‘Pearl Harbor’ would be in the form of a cyber attack. The Sacramento Times reported Panetta as saying: “The next Pearl Harbor is likely to be a cyber attack going after our grid…and that can literally cripple this country…” and that cyber terrorism is “a whole new area of threat.”
The risk Mr. Panetta speaks of is real. Several countries have already been victims of cyber attack. A few years ago, commerce in Estonia (one of the most Internet-wired countries in the world) ground to a halt, the result of a massive distributed denial of service (DDOS) attack. Russia shut down the infrastructure of Georgia before its invasion a few years ago.
The recent Stuxnet attack on Iranian nuclear processing facilities demonstrates our own Government’s willingness to conduct cyber warfare on those who threaten us.
Even as many information systems security professionals are working diligently to prevent cyber terrorist attacks, the sad truth is that too many of our communities are unnecessarily vulnerable to cyber terrorism. The sky is not falling, but storm clouds are gathering and we are too unprepared.
Our chapter of the international Information Systems Security Association launched our Community Outreach Program to do something about the problem. ISSA-LA provides cyber security leadership to the Los Angeles community, mobilizing our business and community leaders to take the management actions necessary to secure our systems from cyber terrorist attack.
Our Board speaks on cyber security to CPA Societies, Bar Associations, Rotary Clubs and just about any one else who will listen as we actively work to make sure a cyber terrorist attack doesn’t happen on our watch.
We are currently planning our third annual Information Systems Security Summit on June 15, designed to foster dialogue between our business & community leaders and the IT & information systems security professionals responsible for day-to-day cyber security. Speakers include cyber security superstars like Steve Lipner, Gene Schultz and Marc Maiffret, along with noted LA community leader Carl Terzian.
I encourage information security and IT professionals to attend our our evening meeting on March 16th which will feature a presentation on Stuxnet by Liam Murchu, Manager of Security Response Operations for North America with Symantec. Mr. Murchu is one of the world’s foremost authorities on Stuxnet (outside of the government cyber warriors who responsible for it). I hope to see you there!
The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.
Microsoft Patch Tuesday: Microsoft has issued a dozen updates addressing at least 22 security vulnerabilities in Microsoft Windows, Internet Explorer, and Office. These vulnerabilities—5 of which were designated “critical”—would allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information or operate with elevated privileges. Readers can check on the updates by clicking on “Security: Check for Updates” in the Windows Control Panel.
Adobe Reader & Acrobat: Adobe has released updates for Reader and Acrobat to address upwards of 25 vulnerabilities. These vulnerabilities would allow a cyber criminal to take control of a user’s computer. These vulnerabilities affect the following software versions:
At this time, updates are available only for the Windows platform. Adobe indicates that it plans to release updates for Macintosh and Unix the week of February 28, 2011. These programs are updated from inside their respective programs. Information from Adobe is available here.
Adobe Flash 10.2.152.26. Adobe has updated its Flash Player to address multiple vulnerabilities in Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. These vulnerabilities would allow a cyber criminal to take control of a user’s computer. The update is available here.
RealPlayer 14.0.2: RealNetworks has released security updates to address a vulnerability affecting Windows RealPlayer versions 14.0.1 and earlier (along with RealPlayer Enterprise versions 2.1.4 and earlier). Exploitation of this vulnerability may allow an attacker to execute arbitrary code in the context of the browser. This vulnerability would allow a cyber criminal to take control of a user’s computer. The update is available here.
Google Chrome 9.0.597.95: Google has updated its Chrome browser to address multiple vulnerabilities that would allow a cyber criminal to take control of a user’s computer. The update is available here.
WordPress Version 3.0.5: WordPress has released WordPress 3.0.5 to address multiple vulnerabilities. These vulnerabilities would allow a cyber criminal to obtain sensitive information in back-end databases. Readers whose web site is programmed in the popular WordPress should alert their web masters to upgrade. More information is available from WordPress here.
Important Vulnerabilities.
Sun Java: A vulnerability has been reported in Java, which can be exploited by malicious people to cause a DoS (Denial of Service) problem. While no patch is currently available, a technical fix to this problem is available through Oracle’s FPUpdater Tool available here. The vulnerability is reported in the following products:
Microsoft Office: Several new critical vulnerabilities have been found in Microsoft products including Office, Excel, and PowerPoint. Both Office 2003 and Office 2007 versions are affected. No patches are available at this time.
HTC Mobile Devices: An unpatched security issue in multiple HTC products has been discovered which can be exploited by malicious people to disclose potentially sensitive information. The issue is in the default Twitter application (Peep) running on the following HTC devices:
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week’s important updates and newly discovered vulnerabilities. It is not intended to be a thorough listing of these.
The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.
Google Chrome 9: The same week that multiple highly critical vulnerabilities were reported in Google Chrome 8, Google released version 9. Readers can update here.
VLC Media Player 1.1.7: VLC has updated its popular media player to version 1.1.7. This follows our reports last month of unpatched critical vulnerabilities in version 1.1.5 and the discovery of a highly critical vulnerability in version 1.1.6.1. The update is available here.
Advance Update Notices.
Microsoft: Microsoft has issued a Security Bulletin Advance Notification that its February release will contain 12 bulletins. Three of these bulletins will have the severity rating of critical and will be for Microsoft Windows and Internet Explorer. The remaining bulletins will have a severity rating of important and will be for Microsoft Windows and Office. Release of these updates is scheduled for Tuesday, February 8, 2011.
Adobe: Adobe had issued a prenotification advisory indicating that it plans to release updates for Adobe Reader and Acrobat. Updates for Windows and Macintosh will be available on February 8, 2011. An update for UNIX will be available the week of February 28, 2011.
Important Vulnerabilities.
AOL: A zero-day vulnerability has been found in the way AOL handles Rich Text Files. The vulnerability allows a cyber criminal to take control of a user’s computer by inducing the user to open a specially formatted Rich Text File. There is no patch for this vulnerability at this time. AOL users should not open Rich Text Files sent in email or downloaded from the web unless the user has independent verification [such as a phone call with the sender] that the file is OK.
Microsoft Internet Explorer: We still consider Internet Explorer not secure for browsing the web. [See our Reports of Dec 31 and Jan 28.]
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week’s important updates and newly discovered vulnerabilities. It is not intended to be a thorough listing of these.