-
See the Archives
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- February 2009
-
Filter by Category
- Business at risk
- Citadel in the news
- Citadel Information Security Guides
- Citadel: Guide to Blog
- Citadel: Thinking about Security
- Cloud Security
- Combatting Cybercrime
- Consumers at risk
- Cost of Cybercrime
- Cost of Piracy
- Credit card fraud
- Culture Change
- cyber security learning community
- Cyber Security Management
- Cyber War
- events
- Financial systems security
- Future of Cyberspace
- Healthcare
- Identity theft
- Information at Risk
- Insurance
- Internet badlands
- ISSA-LA
- Law Firms
- Legal
- Miscellany
- mobile banking
- mobile internet
- Mobile Security
- national security
- Not-for-Profit
- Online Privacy
- OWASP
- Privacy Matters
- Ray of Sunshine
- School security
- Security Alert: Vulnerability Management
- Security management
- Security Research
- Security Surveys
- Social Engineering
- Social networks
- Virtual Currency
Weekend Vulnerability and Patch Report, March 11, 2011
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Apple iOS 4.3: Apple has released iOS 4.3 for the iPhone and iPad. While primarily designed to support the iPad 2, the update also fixes several security vulnerabilities. The update is available through iTunes.
Apple Java Updates for Mac OS X 10.5 and OS X 10.6: Apple Java Update for Mac OS X 10.5 Update 9 and Java for Mac OS X 10.6 Update 4 address multiple critical security vulnerabilities. These vulnerabilities allow a cyber criminal to take control of a victim’s computer. Updates can be downloaded here.
Apple Safari 5.0.4: Apple has released an update to Safari that addresses more than40 vulnerabilities, many of them critical. The update is available from Apple here. However, a review of Apple’s description of the update gives no indication that the update patches the specific vulnerability that causes us to describe Safari as “unsafe for browsing” (see below).
Apple TV 4.2: Apple has released version 4.2 to correct multiple vulnerabilities in Apple TV. Information on the update is available here. Update instructions are available here.
Google Chrome 10.0.648.127: Google has updated its Chrome browser. The new release fixes 23 identified security vulnerabilities, 15 of which are critical. Information about the update is available here. The update is available from Google here.
Microsoft Patch Tuesday Updates: Microsoft has released updates to fix at least four security vulnerabilities in Windows, Office and other products, including a critical vulnerability in its Media Player / Media Center. Microsoft did not patch the critical vulnerability in Internet Explorer 8 (see below). Readers can check that updates have been installed through the Security Center which can be accessed through the Control Panel.
Special Cyber Security Warnings
Tsunami Scam Warning: US-CERT is warning Internet Users to be cautious of potential email scams, fake antivirus and phishing attacks regarding the Japan earthquake and the tsunami disasters. Email scams may contain links or attachments which may direct users to phishing or malware-laden websites. Phishing emails and websites requesting donations for bogus for charitable organizations commonly appear after these types of natural disasters.
Rogue AntiVirus through Skype: Brian Krebs writes on his blog, KrebsOnSecurity.com, that “a few of his readers have written, saying that they recently received Skype phone calls urging them to download and install a system update for Microsoft Windows. Users who visit the recommended site are bombarded with the same old scareware prompts that try to frighten them into purchasing worthless security software. Scareware scams are nothing new to Skype: They have spread for some time now over the instant message client built into Skype, but this is the first I’ve heard of rogue anti-virus peddlers resorting to robocalls via Skype to spread their junk software.”
Important Unpatched Vulnerabilities.
PDF-Pro: Several highly critical vulnerabilities have been found in PDF-Pro, a popular alternative to Adobe Acrobat. These vulnerabilities would allow a cyber criminal to take control of a user’s computer.The vulnerabilities are confirmed in version 4.0.1.758. Most are also confirmed in version 4.5.2.1321 . Other versions may also be affected. We urge readers to refrain from opening untrusted PDF files using PDF-Pro.
CA Internet Security Suite: Highly critical security vulnerabilities have been found in versions 6.x and 7.x of this popular all-in-one security program. These vulnerabilities can be exploited remotely by malicious people to take remote control of a user’s system. CA has not announced a patch for this program. CA did release an upgrade to version 8.x of its corporate Host-Based Intrusion Prevention System—which suffered from similar vulnerabilities—leading one to suspect that CA will soon have an upgrade to its Internet Security Suite.
Internet Explorer 8.x: We continue to consider Internet Explorer 8.x unsafe for browsing. IE8 has been on our vulnerability list since January 28 and was not patched in this week’s Patch Tuesday.
Apple Safari 5.x: A vulnerability in Safari 5.x first identified last June continues unpatched. We continue to consider Safari unsafe for browsing.
AOL: The zero-day vulnerability in the way AOL handles Rich Text Files remains unpatched.
HTC Mobile Devices: The security issues in the default Twitter application (Peep) in HTC products remain unpatched.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
