The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Symantec Backup Exec: A weakness has been reported in Symantec Backup Exec products, which can be exploited by malicious people to bypass certain security restrictions. Update or upgrade to Symantec Backup Exec 2010 R3.
IBM Lotus Notes: Highly critical vulnerabilities have been reported in IBM Lotus Notes. Remote exploitation of a stack buffer overflow vulnerability could allow an attacker to execute arbitrary code in the context of the current user. The vulnerabilities are reported in versions 8.0 and 8.5. IBM has released patches and workarounds to address this vulnerability. For more information, consult their advisory at https://www-304.ibm.com/support/docview.wss?uid=swg21500034.
Google Chrome: Several more highly critical vulnerabilities have been reported in Google Chrome. Update to version 11.0.696.71. You can find a full list of fixes that are in Chrome OS R12 in the chromium-os bug tracker.
Newly Announced Unpatched Vulnerabilities (Zero-Days)
None
Special Cyber Security Warnings
Apple Users Scareware Scams: Since the beginning of May, security firms have been warning Apple users to be aware of new scareware threats like MacDefender and Mac Security.
Important Unpatched Zero-Day Vulnerabilities.
Apple iOS: Our research still fails to determine if iOS 4.3.2 fixes the critical vulnerability identified during the recent “computer hacking” Pwn2Own competition. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, May 13, 2011.
Apple Safari 5.x: The critical zero-day vulnerability in Safari 5.x continues unpatched. We continue to consider Safari unsafe for browsing. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 18.
HTC Mobile Devices: The zero-day security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Office for Mac: A highly critical zero-day vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
SlimPDF Reader: A moderately critical zero-day vulnerability has been discovered in this PDF reader. No patch is available at this time. Readers are advised to refrain from opening PDF files in this reader from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, May 20, 2011.
VLC Media Player: Several highly critical zero-day vulnerabilities in VLC Media Player version 1.1.9 remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, May 6.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Small firms learn size doesn’t matter to hackers: Dr. Stahl is quoted in this story about the cyber security risks threatening small and medium sized businesses. The La Times, May 23, 2011
Bank of America data leak destroys trust: Andrew Goldstein has been a Bank of America customer for more than four decades. He’s grown up with the bank, trusted it, relied on it to be there for him through thick and thin. So it was with more than a little shock that Goldstein, 60, learned the other day that a BofA employee apparently leaked confidential information about his and hundreds of other customers’ accounts to scammers, resulting in more than $10 million in losses. The LA Times, May 24, 2011
LinkedIn site has security vulnerabilities-expert: (Reuters) – LinkedIn’s professional networking website has security flaws that makes users’ accounts vulnerable to attack by hackers who could break in without ever needing passwords, according to a security researcher who identified the problem. Reuters, May 23, 2011
Phishing Attacks Keep Proliferating: How to Recognize Them: In light of recent data breaches, compromised companies and security experts have warned users to be vigilant about phishing attacks as cyber-thieves try to trick users into giving up sensitive information, such as bank account numbers, log-in credentials and credit card numbers. eWeek, May 23, 2011
Insider data theft costs Bank of America $10 million: A Bank of America insider who sold customer data to criminals cost the bank at least US$10 million in losses. Computer World, May 25, 2011
Latest hack on PBS news site is the best hack ever: Check off the main news website for the Public Broadcasting System, PBS NewsHour, as the latest victim of a hacking attempt that has interrupted the site’s main activity. Media Beat, May 29, 2011
Internet Explorer Flaw Lets Hackers Into the Cookie Jar: Security researcher Rosario Valotta has apparently discovered a vulnerability in Microsoft’s Internet Explorer that could be used to install malware and forge clicks. The so-called cookiejacking attack involves figuring out the victim’s Windows username, knowing which version of Windows the victim is running and tricking the user into selecting the entire content of the stolen cookie. Tech News World, May 27, 2011
Data Breach at Security Firm Linked to Attack on Lockheed: Lockheed Martin, the nation’s largest military contractor, has battled disruptions in its computer networks this week that might be tied to a hacking attack on a vendor that supplies coded security tokens to millions of users, security officials said on Friday. New York Times, May 27, 2011
Computer hackers breach Honda customer databank: The personal information of hundreds of thousands of Honda and Acura customers may have been compromised by a security breach of the automaker’s computer systems. Ottawa Citizen, May 27, 2011
Senate debates president’s power during cyber-attack: Senators squared off with Obama administration officials Monday about plans to give the president emergency powers to protect vital U.S. electronic networks from attacks by hackers, cyberterrorists and foreign governments. The Washington Times, May 23, 2011
‘Digital ants’ check networks for viruses: Wake Forest University professor Errin Fulp is training an army of ‘digital ants’ designed to patrol the power grid and protect it from viruses. TG Daily, May 30, 2011
The U.S. Draws a Line in the Silicon: In the days immediately after 9/11, the U.S. sent tanks to surround the Federal Reserve Bank of New York and protect it from potential threats. In its basement is the largest depository of gold in the world, worth some $300 billion, almost all owned by foreign governments. The Fed’s gold has only ever been stolen in the movies. The Wall Street Journal, May 23, 2011
Russian Company Cracks IOS 4 Hardware Encryption: Having cracked Apple iPhone backups last year, Russian security company ElcomSoft appears to have found a reliable way to beat the layered encryption system used to secure data held on the smartphone itself. PC World, May 25, 2011
Google moves fast to plug Android Wi-Fi data leaks: Google today confirmed that it’s starting to roll out a server-side patch for a security vulnerability in most Android phones that could let hackers snatch important credentials at public Wi-Fi hotspots. Mac Video, May 24, 2011
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Moodle: Some vulnerabilities have been reported in Moodle, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks. Update to version 1.9.12 or 2.0.3.
WordPress: A highly critical vulnerability has been discovered in the is_human() plugin for WordPress, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is confirmed in version 1.4.2 and other versions may also be affected. No patch is available at this time.
Special Cyber Security Warnings
Mississippi Flooding Disaster Email Scams, Fake Antivirus, and Phishing Attack Warning
Users should be aware of potential email scams, fake antivirus, and phishing attacks regarding the Mississippi flooding disaster. Email scams may contain links or attachments that may direct users to phishing or malicious websites. Fake antivirus attacks may come in the form of pop-ups that flash security warnings and ask the user for credit card information. Phishing emails and websites requesting donations for bogus charitable organizations commonly appear after these types of natural disasters. http://www.us-cert.gov/current/#mississippi_flooding_disaster_email_scams
Newly Announced Unpatched Vulnerabilities (Zero-Days)
None
Important Unpatched Zero-Day Vulnerabilities.
Adobe Flash: Adobe has updated its Flash player to version 10.3.181.14 to correct 11 vulnerabilities, many of which are highly critical. Updates may be found here. If you run multiple browsers, including IE, then you may have to install the update in each browser separately.
Google Chrome: Google has updated Google Chrome to version 11.0.696.68 to correct multiple, highly critical vulnerabilities. The update may be found here.
Microsoft Office: Microsoft has updated Office to correct two highly critical vulnerabilities in PowerPoint. The update can be installed from the Security Section of the Windows Control Panel.
Microsoft Office for Mac: A highly critical vulnerability had been discovered in Microsoft Office for the Mac which could be exploited by cyber criminals to take control of a user’s computer.
Microsoft Windows: Microsoft has updated Windows to correct a moderately critical vulnerability. The update can be installed from the Security Section of the Windows Control Panel.
Skype for Mac: Skype has updated its Mac program to version 5.1.0.922 to correct a moderately critical vulnerability. The update is available here.
SlimPDF Reader: A moderately critical vulnerability had been discovered in this PDF reader. Readers are advised to refrain from opening PDF files in this reader from untrusted sources.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Today’s edition of the LA Times features Stan Stahl of Citadel describing the increasing risk of cyber attack to small and medium sized businesses across varied industries. Though attacks on large multi-national companies make the news every week, small and medium sized businesses are also very much at risk and frequently suffer serious and costly breaches. A small, under protected business is an all too easy target for cyber thieves.
Effective cyber security management not only guards against the high costs of a breach; more and more it is becoming vital to remaining competitive in an increasingly security conscious marketplace. “Taking precautions against cyber thieves not only is an act of self-protection but also might be a requirement for winning new clients,” reports the Times. “An increasing number of corporations are requiring that companies they hire as contractors, no matter how small, have digital defenses in place.” Read the entire article here.
White House Unveils Global Cyberspace and Cybersecurity Policies The next Osama bin Laden may not be one bearded man hiding in a walled fortress but instead a group of highly skilled, faceless men behind computers. Cyberterrorism, while still largely science fiction, lurks around the corner as growing accounts of logic bombs in U.S. networks and cases of software that can cripple power plants continue to put the U.S. government in defensive mode. While we’ve made progress, such as establishing new positions within government for Cybersecurity Coordinator, aka Cyber Czar, and Commander of U.S. Cyber Command, aka CYBERCOM, there still exists a great need for a framework under which to view ongoing organic global change in the Internet and resources for responding to that change. In response, the White House this past week introduced to major policy documents. The Huffington Post, May 18, 2011
U.S. Calls for Global Cybersecurity Strategy: WASHINGTON — The Obama administration on Monday proposed creating international computer security standards with penalties for countries and organizations that fell short. The New York Times, May 16, 2011
The U.S. Cyber Policy Blitz: Over the past week, the White House has announced two big plans for improving Internet security. One is an international policy that seeks to promote Internet freedom while cracking down on the theft of intellectual property. The other is a domestic legislative proposal whose key features include tightening data-breach notification laws. Technology Review, May 18, 2011
Account Takeover: Where’s the Progress? In April, the Federal Bureau of Investigation warned of a new wave of wire fraud originating in China. The spree, which involves numerous unauthorized transfers to China-based hackers, is but the latest in a long line of corporate account takeover incidents small and mid-sized banking institutions have battled since the summer of 2009. Bank Info Security, May 18, 2011
Mass. unemployment agency hit by computer virus, possible data breach: The state’s labor department is apologizing for a computer virus infection that may have compromised sensitive data from as many as 210,000 unemployed workers. The Boston Herald, May 17, 2011
Report: PSN password resets exploited, accounts compromised again: Just two days after the PlayStation Network was restored after a near month-long outage, the PSN password page has apparently been exploited. According to reports, the exploit allows other users to reset your account password using only your e-mail address and date of birth. This personal data was made available to hackers during the initial PSN attack. Ars Technica, May 18, 2011
Sony CEO Warns of ‘Bad New World’: TOKYO—After spending weeks to resolve a massive Internet security breach, Sony Corp. Chief Executive Howard Stringer said he can’t guarantee the security of the company’s videogame network or any other Web system in the “bad new world” of cybercrime. The Wall Street Journal, May 18, 2011
Point-of-Sale Skimmers: Robbed at the Register: Michaels Stores said this month that it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced the machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs. The specific device used by the criminal intruders has not been made public. But many devices and services are sold on the criminal underground to facilitate the surprisingly common fraud. KrebsOnSecurity, May 18, 2011
Hackers hit Sony, more security issues raised: Reuters NEW YORK – Sony Corp has been hacked again, exposing more security issues for the company less than a month after intruders stole personal information from more than 100 million online user accounts. Business Spectator, May 21, 2011
Facebook opposes California bill on social network privacy settings: Facebook and other social network giants are opposing a new Californian bill, which requires all social network websites to make users’ information private by default. A spokesman claims that the bill would be a big threat to their businesses. International Business Times, May 17, 2011
10 Facebook Settings to Check Right Now As Facebook becomes the window to the Web for its more than 500 million users worldwide, the security of the social network has never been a hotter topic. The Detroit Free Press, May 16, 2011
Cybersecurity Safety Tips for Travelers – From the EC-Council: Airports are hotbeds for identity theft, and from rogue Wi-Fi hotspots to new wirelessly accessible e-passports, travelers have never been at greater risk. The EC-Council, an international cybersecurity training and consulting group, is urging travelers to be aware of the risks, and offers the following tips that can help travelers stay safe this summer. PRWeb, May 18, 2011 Report: Electronic medical records are vulnerable: WASHINGTON (AP) — The nation’s push to computerize medical records has failed to fully address longstanding security gaps that expose patients’ most sensitive information to hackers and snoops, government investigators warn. NECN.com, May 17, 2011 99% of Android phones leak secret account credentials: The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned. The Register, May 16, 2011 Google Fixes Android Public Wi-Fi Security Flaw A few days ago researchers at Ulm University in Germany found that it was “quite easy” for hackers to intercept data from Google’s photo-sharing, calendar and contacts applications, as well as potentially other Google services including Gmail, and already Google says it has “fixed” the problem. Zero Paid, May 20, 2011 Study Sees Way to Win Spam Fight: For years, a team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, the billions of unwanted e-mail messages generated by networks of zombie computers controlled by the rogue programs called botnets. They even coined a term, “spamalytics,” to describe their work. Now they have concluded an experiment that is not for the faint of heart: for three months they set out to receive all the spam they could (no quarantines or filters need apply), then systematically made purchases from the Web sites advertised in the messages…The New York TImes, May 19, 2011HIPAA
Mobile Security
Fighting Spam