-
See the Archives
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- February 2009
-
Filter by Category
- Business at risk
- Citadel in the news
- Citadel Information Security Guides
- Citadel: Guide to Blog
- Citadel: Thinking about Security
- Cloud Security
- Combatting Cybercrime
- Consumers at risk
- Cost of Cybercrime
- Cost of Piracy
- Credit card fraud
- Culture Change
- cyber security learning community
- Cyber Security Management
- Cyber War
- events
- Financial systems security
- Future of Cyberspace
- Healthcare
- Identity theft
- Information at Risk
- Insurance
- Internet badlands
- ISSA-LA
- Law Firms
- Legal
- Miscellany
- mobile banking
- mobile internet
- Mobile Security
- national security
- Not-for-Profit
- Online Privacy
- OWASP
- Privacy Matters
- Ray of Sunshine
- School security
- Security Alert: Vulnerability Management
- Security management
- Security Research
- Security Surveys
- Social Engineering
- Social networks
- Virtual Currency
Weekend Vulnerability and Patch Report, November 13, 2011
Important Security Updates
Adobe Flash Player version 11.1.102.55: Adobe has issued a critical software update for its Flash Player software that fixes at least a dozen security vulnerabilities, several of them highly critical. Updates are available for Windows, Mac, Linux, Solaris and Android versions of Flash and Adobe Air. To find out if you have Flash and which version may be installed, visit the About Flash page. Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser.
Adobe Shockwave version 11.6.3.633: Adobe’s Shockwave update fixes four critical vulnerabilities. To update Shockwave visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, it means Shockwave is not installed in your browser and there is little reason to install it.
Apple AirPort / Time Capsule firmware version 7: Apple has updated AirPort / Time Capsule to patch a moderately critical vulnerability. The update is available from Apple’s Download Site.
Apple iOS 5.0.1: Apple has updated iOS to patch several highly critical vulnerabilities. The update is available from within iTunes.
Apple Mac OS X update for Java: Apple has issued an update for Java for Mac OS X. Java for Mac OS X 10.7 Update 1 fixes multiple vulnerabilities, several of them highly critical. The update is available from Apple’s Download Site.
Firefox version 3.6.24 and Thunderbird version 3.1.16: Mozilla has issued updates to earlier versions of Mozilla Firefox and Thunderbird to patch multiple vulnerabilities,several of them highly critical. Updates are available from within the program.
Firefox version 8.0: Mozilla has released Firefox, version 8. Version 8 patches multiple vulnerabilities in version 7, several of them highly critical. Updates are available from within the program.
Google Chrome version 15.0.874.120: Google has updated Chrome to fix at least 19 security vulnerabilities, several of them highly critical. Updates are available from within the program.
Microsoft Patch Tuesday: This month’s suite of updates from Microsoft includes one “critical” patch. Updates are available from the Control Panel.
Current Adobe Flash and Java Versions
Adobe Flash: The current version is 11.1.102.55
Java: The current version is SE 6 Update 29.
Newly Announced Unpatched Vulnerabilities
Firefox version 7 and Thunderbird version 7: Multiple unpatched security vulnerabilities, several of them highly critical, have been reported in version 7 of Firefox and Mozilla. Mozilla recommends users upgrade to version 8.
For Your IT Department
None
Important Unpatched Vulnerabilities
Adobe Photoshop Elements: Adobe versions 1 – 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Office Publisher 2007: A moderately critical vulnerability has been reported in Microsoft Office Publisher. No patch is available at this time. Readers are advised to not use content from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 23, 2011.
Microsoft Windows: As we reported in Weekend Vulnerability and Patch Report, November 6, Microsoft has released a security advisory about a 0-day critical vulnerability in most supported versions of Windows, including Windows XP, Vista and 7. There is no patch at this time. According to Microsoft, for an attack to be successful, a user must open an attachment that is sent in an e-mail message.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
