The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Apple Mac OS X 10.6.8: Apple has released several updates to Mac OS X. Updates are available from Apple’s Download Site.
Apple iOS 4.2.10 and iOS 4.3.5: Apple has released these updates to correct a vulnerability. Users can obtain updates through their iTunes program.
Apple iWork 9.1: Apple has released iWork 9.1 to correct several highly critical vulnerabilities in Numbers and Pages.
For Your IT Department
VMware ESX Console OS: VMWare has acknowledged several moderately critical vulnerabilities in Console OS. IT personnel can get more information here.
Newly Announced Unpatched Vulnerabilities (Zero-Days)
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files.
Internet Explorer: A less critical vulnerability has been found in Internet Explorer versions 6 and 7. Users should make sure they are running version 8 or later.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files.
Important Unpatched Zero-Day Vulnerabilities.
ACDSee Photo: Several highly critical zero-day vulnerabilities have been identified in various ACDSee photo products. Zero-day vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
HTC Mobile Devices: The zero-day security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Word: A highly critical zero-day vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical zero-day vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Symantec Mail Security: Multiple highly critical zero-day vulnerabilities have been reported in Symantec Mail Security. Systems affected include Symantec Mail Security for Microsoft Exchange 6.x, Domino 7.x and Domino 8.x. No patches are available at this time. Readers in corporate environments using Microsoft Exchange or Domino are urged to forward this notice to their IT personnel so they may take appropriate action. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Hackers post documents from Italian cybercrime unit: Hackers linked to Anonymous claim to have breached security at the government agency responsible for protecting vital computer networks in Italy. he hackers posted a trove of apparently confidential documents online and claimed much more was to come from systems at CNAIPIC – il Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche. The Telegraph, July 25, 2011
Hackers steal data from 35M netizens: The personal information of millions of netizens with accounts on Korea’s major portal site Nate and social networking site Cyworld was accessed by hackers on Tuesday, SK Communications said yesterday. Korea JoongAng Daily, July 29, 2011
Study: Automated Web App Attacks on the Rise: Web applications are attacked by hackers roughly once every two minutes on average, while automated assaults on websites and databases can number 25,000 attacks in an hour, or seven per second, according to new findings released by data security firm Imperva Monday. PC Magazine, July 25, 2011
Companies Encrypting Data, But Not Everywhere, Venafi Survey Finds: An overwhelming majority of organizations, 90%, use encryption for data security and systems authentication, according to a survey of security practices conducted on behalf of enterprise key and certificate management firm Venafi. Moreover, the survey showed strong overall security programs in the majority of organizations. Network Computing, July 28, 2011
Personal Mobile Devices Still Vex IT: Two thirds of large enterprises surveyed by Courion say that employees are causing security breaches by connecting personal mobile devices to the corporate network. Information Week, July 26, 2011
Securing Data in the Cloud? Call in the Magnificent Seven: The million-dollar question in organizations today is no longer “Should we move to the cloud?” but “How much of our infrastructure and data will we move to the cloud?” However, the difficulties organizations have protecting data – even when data is kept onsite in the corporate data center – is causing sleepless nights for IT professionals and business leaders alike, as they weigh the cost and operational benefits of moving to the cloud, against the potential introduction of new data security risks. Forbes, July 26, 2011
Spam & Fake AV: Like Ham & Eggs: An explosion of online fraud tools and services online makes it easier than ever for novices to get started in computer crime. At the same time, a growing body of evidence suggests that much of the world’s cybercrime activity may be the work of a core group of miscreants who’ve been at it for many years. KrebsOnSecurity, July 26, 2011
The cyber Mafia has already hacked you: Just how pervasive is cybercrime? “There are probably some corporations and credit cards that haven’t been hacked,” said Kim Peretti, director in PricewaterhouseCoopers’ forensic services practice. “But you have to assume you’ve been compromised.” CNN Money, July27, 2011
Trojan Tricks Victims Into Transferring Funds: It’s horrifying enough when a computer crook breaks into your PC, steals your passwords and empties your bank account. Now, a new malware variant uses a devilish scheme to trick people into voluntarily transferring money from their accounts to a cyber thief’s account. KrebsOnSecurity, July 28, 2011
Mac OS X Lion Password Vulnerability: Sleep Mode: Updated forensic software can steal Apple OS X login passwords in minutes, even when the devices are locked or asleep. To be successful, however, users of the software, Passware Kit Forensic v11, must have physical access to the target Mac device, as well as a FireWire cable connection. At that point, the software can capture the password data from the Mac’s memory, even on the latest version of Apple’s operating system, Mac OS X Lion. Information Week, July 29, 2011
‘War Texting’ Lets Hackers Unlock Car Doors via SMS: Software that lets drivers unlock car doors and even start their vehicles using a mobile phone could let car thieves do the very same things, according to computer security researchers at iSec Partners. PC World, July 27, 2011
For Suspected Hackers, a Sense of Social Protest: The F.B.I.’s arrests of 14 people last week were the most ambitious crackdown yet on a loose-knit group of hackers called Anonymous that has attacked a string of government agencies and private companies over the last eight months. The New York Times, July 26, 2011
Calif. Co. Sues Bank Over $465k eBanking Heist: A California real estate escrow company that lost more than $465,000 in an online banking heist last year is suing its former financial institution, alleging that the bank was negligent and that it failed to live up to the terms of its own online banking contract. KrebsOnSecurity, July 25th, 2011
UK police arrest suspected hacker group member: An 18-year-old man has been arrested in Scotland on suspicion of being linked to computer hacking groups Anonymous and LulzSec, police in London said Wednesday. CNN, July 28, 2011
U.S. targets Central European cybergangs: Organized Central European cybercrime gangs are a security threat to the United States and have been targeted in a new U.S. strategy released this week. UPI, July 28, 2011
DOD Website Sells Public On Cybersecurity Strategy: The Department of Defense (DOD) has launched a new website to accompany a comprehensive cybersecurity strategy launched less than two weeks ago to guide the department’s efforts to fight cyber attacks going forward. The Cyber Strategy website is aimed at helping the public understand the DOD’s consolidated cybersecurity strategy and provide a central site for the department’s accomplishments to date in how it is protecting the federal government and U.S. critical infrastructure from cyber attacks, it said. Information Week, July 25, 2011
Cyber Weapons: The New Arms Race: In the early morning hours of May 24, an armed burglar wearing a ski mask broke into the offices of Nicira Networks, a Silicon Valley startup housed in one of the countless nondescript buildings along Highway 101. He walked past desks littered with laptops and headed straight toward the cubicle of one of the company’s top engineers. The assailant appeared to know exactly what he wanted, which was a bulky computer that stored Nicira’s source code. He grabbed the one machine and fled. The whole operation lasted five minutes, according to video captured on an employee’s webcam. Palo Alto Police Sergeant Dave Flohr describes the burglary as a run-of-the-mill Silicon Valley computer grab. “There are lots of knuckleheads out there that take what they can and leave,” he says. But two people close to the company say that they, as well as national intelligence investigators now looking into the case, suspect something more sinister: a professional heist performed by someone with ties to China or Russia. The burglar didn’t want a computer he could sell on Craigslist. He wanted Nicira’s ideas. Bloomberg Businessweek, July 20, 2011 (Excellent overview; Highly Recommended)
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Apple Safari 5.1 and 5.0.6 for Leopard: Apple has released these upgrades to Safari to correct more than 25 highly critical vulnerabilities. The updates are available from Apple’s Download Site.
Free Help Desk 1.1b: Free Help Desk has upgraded 1.x to fix multiple vulnerabilities.
Google Picasa 3.8: Google has released a Picasa upgrade to fix a highly critical vulnerability. The upgrade is available from Picasa’s website.
VLC Media Player 1.1.11: VLC has released this upgrade to correct the two highly critical zero-day vulnerabilities that we described in last weekend’s report. The upgrade is available from VLC’s web site.
Oracle: Oracle has released its critical patch update for July to address 78 vulnerabilities across multiple products. Readers whose organizations use Oracle should alert their IT staff.
Newly Announced Unpatched Vulnerabilities (Zero-Days)
None
Important Unpatched Zero-Day Vulnerabilities.
ACDSee Photo: Several highly critical zero-day vulnerabilities have been identified in various ACDSee photo products. Zero-day vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
HTC Mobile Devices: The zero-day security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Word: A highly critical zero-day vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical zero-day vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Symantec Mail Security: Multiple highly critical zero-day vulnerabilities have been reported in Symantec Mail Security. Systems affected include Symantec Mail Security for Microsoft Exchange 6.x, Domino 7.x and Domino 8.x. No patches are available at this time. Readers in corporate environments using Microsoft Exchange or Domino are urged to forward this notice to their IT personnel so they may take appropriate action. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Hackers Shift Attacks to Small Firms: Recent hacking attacks on Sony Corp. and Lockheed Martin Corp. grabbed headlines. What happened at City Newsstand Inc. last year did not. Unbeknownst to owner Joe Angelastri, cyber thieves planted a software program on the cash registers at his two Chicago-area magazine shops that sent customer credit-card numbers to Russia. MasterCard Inc. demanded an investigation, at Mr. Angelastri’s expense, and the whole ordeal left him out about $22,000. The Wall Street Journal, July 21, 2011
eBanking Theft Costs Town of Eliot, Me. $28k: Organized cyber thieves stole more than $28,000 from a small New England town last week. The case once again highlights the mismatch between the sophistication of today’s attackers and the weak security measures protecting many commercial online banking accounts. KrebsOnSecurity, July 19, 2011
Insuring Clients Against Privacy Losses: The risks are evident. Private information of all kinds—personal, financial, medical—resides on the computers of nearly every business. Hackers and identity thieves increasingly are compromising system vulnerabilities, seeking to break in and exploit the details. Property Casualty 360, July 20, 2011
Brand Protection, Internal Threats Emerge Among Chief PCI Preoccupations: Fear of the damage that a data breach can inflict on a brand, rather than of network fines, drives organizations to invest in compliance with the Payment Card Industry data-security standard (PCI), a study released on Tuesday says. Some 69% of the mostly online organizations surveyed cited brand protection as their chief reason for spending on payment security, compared to 26% that ranked avoidance of fines first. “Other” reasons were cited by 5%. Digital Transactions, July 19, 2011
Scotland Yard chief quits, Brooks arrested over hacking: Britain’s top police officer resigned Sunday and Rupert Murdoch’s former aide Rebekah Brooks was arrested as the phone hacking scandal finally tore into the heart of the British establishment. AFP, July 17, 2011
In Court, Suggestions of Hacking Beyond The News of the World: Front pages across Britain featured pictures of Rupert Murdoch apologizing for phone hacking at The News of the World. But further suggestions that the practice spread beyond his newspaper emerged in a small, nondescript courtroom on Wednesday, even as Prime Minister David Cameron broadened an inquiry into the conduct of the British press. The New York Times, July 20, 2011
More Allegations Link Murdoch’s Media Empire to “Ethical Hackers”: The ‘drip drip drip’ of reports that link Rupert Murdoch’s media empire to incidents of malicious computer programs continues this week, with news of an investigation into News of the World’s the use of so-called “ethical hackers” to obtain information from computers owned by targeted individuals. Threat Post, July 18, 2011
Murdoch Websites Return After Attackers Post False Obituary: News Corp., the company embroiled in a phone-hacking scandal, returned its U.K. newspaper websites to normal today after attackers disrupted service overnight and posted a fake obituary for Chairman Rupert Murdoch. Bloomberg, July 19, 2011
Anonymous Hackers Give Murdoch’s News Corp. Taste of Own Medicine: The hackers at News Corp. have become the hackees–surely that’s a word in modern parlance–of Anonymous and LulzSec, who released email login details of two former News of the World editors and are threatening to divulge more. PC World, July 19, 2011
Anonymous plans AnonPlus after being kicked out of Google+: The hacktivist group Anonymous has been kicked off Google+ and in response, the group is looking to build its own social network called AnonPlus. LA Times, July 18, 2011
Hackers claim to breach NATO security: A group of computer hackers on Thursday claimed to have breached NATO security and accessed hoards of restricted material. The Seattle Times, July 21, 2011
FBI arrests 14 alleged members of hacker group Anonymous: Dr. Stahl is quoted in this story–the FBI arrested 14 alleged members of hacker group Anonymous, which last fall took responsibility for knocking out the websites of several large companies. LA Times, July 20, 2011
16 Suspected ‘Anonymous’ Hackers Arrested in Nationwide Sweep: Sixteen suspected members of “Anonymous” were arrested this morning in states across the country, from California to New York, in a federal raid on the notorious hacking group. Fox News, July 19, 2011
Leading Member of LulzSec Hacker Squad Arrested in London: Officers from the Metropolitan Police’s E-Crime Unit in London arrested a 16-year-old boy in South London Tuesday afternoon, the latest arrest in an international sting operation targeting the notorious hacker groups Anonymous and LulzSec. Fox News, July 19, 2011
Google: Your Computer Appears to Be Infected: Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software. KrebsOnSecurity, July 19, 2011
House Committee OK’s Cybersecurity Enhancement Act: The Cybersecurity Enhancement Act of 2011 – legislation aimed to boost cybersecurity education, research and development – unanimously passed the House Science, Space and Technology Committee on Thursday. Debate by the full House could come after the August recess. govinfo security, July 21, 2011
Learning to defend against cyber warfare: Kyle Osborn could be called the Jack Bauer of the virtual age. He’s defending American interests from a potentially devastating attack. He’s doing so hunched over a laptop, armed with peanut butter and jelly and a jug of iced tea. LA Times, July 20, 2011
US signs cybersecurity agreement with India: The U.S. and Indian governments signed an agreement on Tuesday in New Delhi to increase the sharing of information on cybersecurity and terrorism. The Hill, July 19, 2011
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Apple iOS 4.3.4: Apple has released iOS 4.3.4 and iOS 4.2.9 to fix the security vulnerability associated with viewing malicious PDF files. The upgrade is available from within iTunes and from Apple’s download site. We alerted readers to this problem in last week’s Cyber Security News of the Week.
BlackBerry Enterprise Server: Readers whose companies run BlackBerry should alert their IT staff to a BlackBerry advisory for interim updates to manage a vulnerability allowing an attacker to disclose sensitive information or cause a denial-of-service condition.
Microsoft Update Fixes 22 Security Flaws: The update fixes a critical flaw in the way Windows handles Bluetooth that let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network. Also patched is the highly critical zero-day vulnerability Visio 2003 that we alerted readers to in our Weekend Vulnerability and Patch Report, July 10. Readers can check the Security section of the Windows Control Panel to make sure updates have been installed.
Trend Micro Control Manager: Trend Micro has patched three vulnerabilities, one moderately critical, in its Control Manager. Readers whose companies use Trend Micro should alert their IT staff. More information is available at Advisory 1, Advisory 2, and Advisory 3.
Newly Announced Unpatched Vulnerabilities (Zero-Days)
VLC Media Player: Two highly critical zero-day vulnerabilities have been found in VLC Media Player 1.x. No patch is available at this time.
Important Unpatched Zero-Day Vulnerabilities.
ACDSee Photo: Several highly critical zero-day vulnerabilities have been identified in various ACDSee photo products. Zero-day vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
Apple Safari 5.x: The critical zero-day vulnerability in Safari 5.x continues to be unpatched. We continue to consider Safari unsafe for browsing. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 18.
HTC Mobile Devices: The zero-day security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Word: A highly critical zero-day vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical zero-day vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Symantec Mail Security: Multiple highly critical zero-day vulnerabilities have been reported in Symantec Mail Security. Systems affected include Symantec Mail Security for Microsoft Exchange 6.x, Domino 7.x and Domino 8.x. No patches are available at this time. Readers in corporate environments using Microsoft Exchange or Domino are urged to forward this notice to their IT personnel so they may take appropriate action. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.