Adobe Flash: Adobe has issued an out-of-band software update to fix dangerous security flaws in its Flash Player products, including at least one that is actively being exploited. Patches are available for versions of Flash on Windows, Mac, Linux, Solaris and Android operating systems. To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser. To avoid using Adobe’s annoying Download Manager, IE users can download the latest update directly from this link; the direct link for non-IE browsers is here.
Google Chrome: Google released two updates this week, the first of which fixes more than 25 vulnerabilities, several of them highly critical. The second update fixes the Flash component inside of Chrome. The latest version is 14.0.835.186. Updates are available from within Chrome via “Customize > About Google Chrome.” (“Customize” is the wrench-shaped icon in the upper right hand corner.)
Opera Mobile for Android: Opera has released version 11.1 update 2 for the Android operating system to fix a security vulnerability.
None
Cisco Identity Services Engine: Cisco has released a security advisory to address a vulnerability in Cisco Identity Services Engine. Exploitation of this vulnerability may allow a remote attacker to gain complete administrative control of the device. US-CERT encourages users and administrators to review Cisco Security Advisory cisco-sa-20110920 and apply any necessary updates or workarounds to help mitigate the risks.
Oracle HTTP Server Products: Oracle has released a security alert to address a vulnerability in Apache HTTPD affecting versions of Oracle Fusion Middleware and Oracle Application Server. US-CERT encourages users and administrators to review the Oracle Security Alert for CVE-2011-3192 and apply any necessary updates to help mitigate the risks. Additional information can be found in US-CERT Vulnerability Note VU#405811.
WordPress: This has been a big week for WordPress plug-in vulnerabilities.
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Our lead story of the week reports on a new survey about medical identity theft. It may also say something about our ethics.
Medical Identity Theft a Growing Problem: WASHINGTON — Nearly four out of ten doctors and hospitals surveyed have caught a patient trying to use someone else’s identity in order to obtain healthcare services, according to a new survey from accounting firm PricewaterhouseCoopers (PwC). Medpage Today, September 23, 2011
Intel officials’ emails posted after hack of cybersecurity group: The names and email addresses of hundreds of U.S. intelligence officials — including some senior officials in the Obama Administration — have been posted on an anti-secrecy website after computer hackers allegedly swiped them from the internal membership list of a prestigious national security organization. MSNBC, September 18, 2011
Hundreds of GoDaddy Sites Compromised to Serve Malware: Sucuri Security detected a mass-compromise of shared-hosting GoDaddy sites. In all 445 cases the .htaccess file (a main Apache web server configuration file) was modified to redirect users to a malware site when they were referred by one of a list of search engines. Security Watch, September 15, 2011
Study Identifies 2011 Authentication Trends & Challenges for Community Financial Institutions: PADUCAH, Ky., Sep 19, 2011 (BUSINESS WIRE) — In recent years, there have been significant changes in the threat landscape for community financial institutions. To address these changes, the Federal Financial Institutions Examination Council (FFIEC) took action with a supplement to update authentication guidance. MarketWatch, September 19, 2011
Is an ISP code of conduct the best way to fight botnets?: The Department of Homeland Security and National Institute of Standards and Technology are looking to beat back the kudzu of spam generators, distributed denial of service zombies, and other botnets, and they want your cooperation—on a totally voluntary basis, of course. ars techinca, September 23, 2011
New cybersecurity alliance launches in Massachusetts: A collaboration among information security leaders in government, industry and academia has launched in Massachusetts with the goal of developing new data defense tactics. SC Magazine, September 22, 2011
Theft of Digital Health Data More Often Inside Job, Report Finds: Electronic health data breaches are increasingly carried out by “knowledgeable insiders” bent on identity theft or access to prescription drugs, according to a report from PricewaterhouseCoopers LLP. Bloomberg, September 22, 2011
Medical Identity Theft a Growing Problem: WASHINGTON — Nearly four out of ten doctors and hospitals surveyed have caught a patient trying to use someone else’s identity in order to obtain healthcare services, according to a new survey from accounting firm PricewaterhouseCoopers (PwC). Medpage Today, September 23, 2011
Zero-day holes found in Blackboard platform: Multiple zero-day security vulnerabilities have been found in the world’s most popular educational software – holes that allow students to change grades and download unpublished exams, while allowing criminals to steal personal information. SC Magazine, September 16, 2011
Clarke: Outdated cyber defense leaves US open to attack: The nation’s cyber defenses now lag the capabilities of those attacking our online assets, leaving critical infrastructure and data vulnerable to increasingly sophisticated attacks, said former presidential adviser Richard Clarke. GCN, September 19, 2011
From the man who discovered Stuxnet, dire warnings one year later: One year ago a malicious software program called Stuxnet exploded onto the world stage as the first publicly confirmed cyber superweapon – a digital guided missile that could emerge from cyber space to destroy a physical target in the real world. Christian Science Monitor, September 22, 2011
The Advent of a Global Intelligence: YALTA, Ukraine — Get ready for the global brain. That was the grand finale of a presentation on the next generation of the Internet I heard last week from Yuri Milner. G-8 leaders had a preview of Mr. Milner’s predictions a few months earlier, when he was among the technology savants invited to brief the world’s most powerful politicians in Deauville, France. The New York Times, September 22, 2011
FBI arrests Sony LulzSec hacking suspect: A suspected member of the clandestine hacking group LulzSec has been arrested in Arizona by the FBI on charges of taking part in an extensive breach of the Sony Pictures computer system. The Guardian, September 23, 2011
Firm sends bots into chats to solicit stolen data: A Texas security firm, CSIdentity, has created artificial-intelligence software capable of posing as a hacker and engaging ne’er-do-wells in the underground forums. Its goal is to solicit stolen data – a hacker hoping to fence 1,000 credit card numbers will offer dozens for free to prove they’re real – and send them back to flesh-and-blood investigators. SFGate, September 19, 2011
New (ISC)²® Foundation Brings Cyber Security Education and Awareness To Communities Across The Globe: (ISC)2 (“ISC-squared”), the world’s largest not-for-profit information security professional body and administrators of the CISSP®, today announced that it has formed the (ISC)² Foundation, a new charitable organization dedicated to delivering education and awareness programs to communities around the globe to make the cyber world a safer place for everyone. A 501(c)3 organization, the (ISC)² Foundation will offer programs that leverage the unique skill sets of information security professionals everywhere to give back to the community and grow the pipeline of the next generation of qualified information security professionals. SFGate, September 19, 2011
Senate Panel Approves Bill Aimed at Thwarting Computer Attacks: Legislation aimed at protecting the nation’s financial networks and power grids from computer hackers and safeguarding consumer data online won approval from a U.S. Senate panel in a party-line vote. Bloomberg, September 22, 2011
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Microsoft Monthly Update: Microsoft released five updates to fix at least 15 security vulnerabilities in its Windows and Office products. Updates are available through Windows Update in the Control Control.
Adobe Acrobat & Reader: Adobe’s patches for Reader and Acrobat correct critical vulnerabilities in the programs that could be exploited by attackers just by convincing users to open a booby-trapped file. Updates are available for Adobe Reader X (10.1) and earlier versions for Windows, Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh. Users can update these from within the programs. Heads up for users of older versions of Reader and Acrobat: support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011.
ACDSee FotoSlate: Another unpatched highly critical vulnerability has been found in ACDSee’s FotoSlate. This is in addition to the critical vulnerability that still remains unpatched from last June.
Cisco: Cisco has released two security advisories to address vulnerabilities affecting the CiscoWorks LAN Management Solution, the Cisco Unified Service Monitor, and the Cisco Unified Operations Manager. These vulnerabilities may allow an unauthenticated attacker to execute arbitrary code. More information is available from US-CERT.
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Business Must Stay Connected to Threat of Cybercrime: Dr. Stahl’s Op-Ed Piece in the Los Angeles Business Journal. In the last few years, cyberattacks have evolved from annoyances to incidents having serious economic consequences. Los Angeles Business Journal, September 5, 2011
Cybercrime bullseye: Porn surfing males: Hold onto your hot beverage, because we’re about to tell you something shocking: young men who like to surf online for porn and dates are most at risk to being victimized by cybercrime, according to a new report by security experts. MSNBC, September 15, 2011
US Agencies Making Progress on Cybercrime, Officials Say: U.S. government agencies are getting better at sharing information about cyberattacks with private companies, but cybercrime shows no signs of slowing down, cybersecurity experts told lawmakers Wednesday. PC World, September 14, 2011
New Report Highlights Economic Threat of Weak U.S. Cyber Security: A new report on cyber intelligence and cyber attacks outlines overlapping vulnerabilities in computer networks across private industry and the U.S. government, and calls for a systematic response that would prevent the harm these weaknesses could inflict on national security and the economy. Law.com, September 13, 2011
Cyber-Fraud Trends, Defenses Debated at Cyber-Defense Summit: Cyber-crime continues to flourish as perpetrators continually evolve new attacks and scams to compromise users and steal money and information, but there are certain things enterprises can do to protect themselves, security experts said at a cyber-defense summit. eWeek, September 15, 2011
PCI point-to-point encryption guidelines raise new questions: The PCI Security Standards Council today is expected to issue guidelines on use of point-to-point encryption in protecting sensitive payment card data, but the narrow approach — which is focused on hardware — is raising questions. Network World, September 15, 2011
Researcher discloses zero-day flaws in SCADA systems: An Italian security researcher this week disclosed details of several zero-day vulnerabilities he discovered in Supervisory Control and Data Acquisition (SCADA) products from multiple vendors, a disclosure that’s likely to reinforce concerns about critical infrastructure weaknesses. Computer World, September 16, 2011
How Would You Change the Children’s Online Privacy Protection Rule?: The U.S. Federal Trade Commission is seeking public comments on proposed revisions, including protections regarding geolocation data, to the Children’s Online Privacy Protection Rule (COPPA). Mashable, September 16, 2011
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Microsoft Releases Advance Notification for September Security Bulletin: Microsoft has issued a Security Bulletin Advance Notification indicating that its September release will contain five bulletins. These bulletins will have the severity rating of important and will be for Microsoft Windows and Microsoft Office. Release of these bulletins is scheduled for Tuesday, September 13, 2011.
Adobe Prenotification Security Advisory for Adobe Reader and Acrobat: Adobe has issued a prenotification advisory indicating that it plans to release updates for Adobe Reader and Acrobat to address multiple vulnerabilities. The Adobe advisory indicates that updates for Windows and Macintosh will be available on September 13, 2011.
Citrix Xen Server Multiple Security Updates: A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 5.6 Service Pack 2. Patches are available at http://support.citrix.com/article/CTX130325.
None
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.