-
See the Archives
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- February 2009
-
Filter by Category
- Business at risk
- Citadel in the news
- Citadel Information Security Guides
- Citadel: Guide to Blog
- Citadel: Thinking about Security
- Cloud Security
- Combatting Cybercrime
- Consumers at risk
- Cost of Cybercrime
- Cost of Piracy
- Credit card fraud
- Culture Change
- cyber security learning community
- Cyber Security Management
- Cyber War
- events
- Financial systems security
- Future of Cyberspace
- Healthcare
- Identity theft
- Information at Risk
- Insurance
- Internet badlands
- ISSA-LA
- Law Firms
- Legal
- Miscellany
- mobile banking
- mobile internet
- Mobile Security
- national security
- Not-for-Profit
- Online Privacy
- OWASP
- Privacy Matters
- Ray of Sunshine
- School security
- Security Alert: Vulnerability Management
- Security management
- Security Research
- Security Surveys
- Social Engineering
- Social networks
- Virtual Currency
Weekend Vulnerability & Patch Report, June 12, 2011
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Adobe Flash: Adobe has released an emergency security update to partially fix a vulnerability that the company warned is being actively exploited in targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. The highly critical vulnerability exists in Flash Player version 10.3.181.16 and earlier for Windows, Macintosh, Linux and Solaris and version 10.3.185.22 and earlier for Android. Users running multiple web browsers need to separately upgrade Internet Explorer along with the other browsers they use. Users can find out what version of Flash they have running at this Adobe web site. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that the Download Center may attempt to foist additional unwanted software on you. If you’d prefer to update manually, the direct installers for Windows are available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again. [Thanks to Brian Krebs of KrebsOnSecurity for detailed information on Adobe Flash updates.]
Google Chrome 12.0.742.91: Google has released Chrome 12.0.742.91 for Windows, Mac, Linux, and Chrome Frame to address multiple vulnerabilities, some of which are highly critical. Google Chrome can be updated from inside the program via the configuration icon.
Java 6 Update 26: Oracle has released an update to its ubiquitous Java software to fix at least 17 security vulnerabilities. Frankly, we don’t like Java. Cyber criminals regularly find and exploit its many bugs, making it a tool-of-choice for bypassing too many anti-virus and anti-malware programs. We agree with Brian Krebs at KrebsOnSecurity that if you don’t need Java, remove it … or at least disable it in your browser except when you need it. (In Firefox 4, this can be done from the “Content” tab found under “Tools / Options.) Java 6 Update 26 (v. 1.6.0.26) can be obtained either through the updater built in to Java (accessible from the Windows control panel) or by visiting java.com.
VLC Media Player 1.1.10: VideoLAN has released version 1.1.10 to address a highly critical vulnerability. The update is available from VideoLAN’s web site.
Newly Announced Unpatched Vulnerabilities (Zero-Days)
ACDSee Photo: Several highly critical zero-day vulnerabilities have been identified in various ACDSee photo products. Zero-day vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time.
Google Chrome 11.x: A highly critical zero-day vulnerability has been identified in Google Chrome, version 11.x. No patch is available at this time. Readers are urged to upgrade to version 12.0.742.91 or later.
Symantec Mail Security: Multiple highly critical zero-day vulnerabilities have been reported in Symantec Mail Security. Systems affected include Symantec Mail Security for Microsoft Exchange 6.x, Domino 7.x and Domino 8.x. No patches are available at this time. Readers in corporate environments using Microsoft Exchange or Domino are urged to forward this notice to their IT personnel so they may take appropriate action.
Cyber Security Advisories from US CERT (United States Computer Emergency Response Team)
Adobe has issued a prenotification advisory indicating that it plans to release updates for Adobe Reader and Acrobat to address multiple vulnerabilities. The advisory indicates that updates for Windows and Macintosh will be available on June 14, 2011.
Microsoft has issued a Security Bulletin Advance Notification indicating that its June release will contain 16 bulletins. Nine of the bulletins will have the severity rating of critical. The notification states that these critical bulletins are for Microsoft Windows, Microsoft .NET framework, Microsoft Silverlight, Microsoft Forefront Threat Management Gateway, and Internet Explorer. The remaining 7 bulletins will have the severity rating of important. The notification states that these important bulletins are for Microsoft Windows, Microsoft Office, Microsoft SQL Server, and Microsoft Visual Studio. Release of these bulletins is scheduled for Tuesday, June 14, 2011.
VMware has released security advisory VMSA-2011-0009 to address multiple vulnerabilities. Readers in corporate environments are encouraged to forward this notice to their IT personnel as this advisory may apply to their information systems environment.
Important Unpatched Zero-Day Vulnerabilities.
Apple Safari 5.x: The critical zero-day vulnerability in Safari 5.x continues to be unpatched. We continue to consider Safari unsafe for browsing. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 18.
HTC Mobile Devices: The zero-day security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Office for Mac: A highly critical zero-day vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
