Firefox / Thunderbird version 9: Version 9 patches several vulnerabilities, some of which are highly critical.
Firefox version 3.6.25 & Thunderbird 3.1.17: These updates for Mac OS X correct a vulnerability in earlier versions.
Mozilla SeaMonkey 2.6: Mozilla SeaMonkey version 2.6 patches a highly critical vulnerability in earlier versions.
Adobe Flash: The current version is 11.1.102.55 [Warning; see below]
Adobe Reader:The current version is 10.1.1 [Warning; see below]
Apple QuickTime: The current version is 7.7.1
Apple Safari: The current version is 5.1.2 (7534.52.7) [Warning; see below]
Google Chrome: The current version is 16.0.912.63
Internet Explorer: The current update version is IE9.0.8112.16421
Java: The current version is SE 6 Update 30
Mozilla Firefox: The current version is 9.0.1 [New update this week]
Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected.
Android Browser: Secunia reports a vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information.
Microsoft Windows: Secunia reports a highly critical unpatched vulnerability in Windows 7 Professional 64-bit. Other versions may also be affected.
VLC Media Player: VLC has released an advisory regarding a highly critical unpatched vulnerability in versions 0.9.0 through 1.1.12. VLC has announced that media player 1.1.13 will address the issue.
Websense: Multiple vulnerabilities have been reported in Websense products. IT Departments can get more information from Secunia.
Hackers Abuse PHP Setting to Inject Malicious Code Into Websites: Attackers have begun to abuse a special PHP configuration directive in order to insert malicious code into websites hosted on dedicated and virtual private servers (VPS) that have been compromised. PC World, December 23, 2011
Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. We recommend users disable the Flash player in their browsers.
Photoshop Elements: Adobe versions 1 – 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.
Adobe Reader and Acrobat: While Adobe has released Adobe Reader 9.4.7 and Adobe Acrobat 9.4.7 to address the extremely critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11, it doesn’t plan to update Reader X and Acrobat X until its next quarterly update scheduled for January 10, 2012. Until then the vulnerability still remains in Reader X and Acrobat X. Adobe has stated that other security technology in these products makes it more difficult to successfully exploit the vulnerabilities. Nevertheless, we continue to recommend users exercise extreme caution, opening PDF files only from trusted sources. Users may also want to consider alternative PDF readers such as Foxit, PDF-Xchange Viewer or Nitro PDF. See our Cyber Security News of the Week for more information on this vulnerability.
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
Firefox version 7 and Thunderbird version 7: As we reported in Weekend Vulnerability and Patch Report, November 13, 2011, multiple unpatched security vulnerabilities, several of them highly critical, have been reported in version 7 of Firefox and Mozilla. Mozilla recommends users upgrade to version 8.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.
Microsoft Office Publisher 2007: A moderately critical vulnerability has been reported in Microsoft Office Publisher. No patch is available at this time. Readers are advised to not use content from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 23, 2011.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
Multiple Browser Vulnerabilities: The non-critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. Affected web browsers include Internet Explorer, Opera, Google Chrome and Firefox. We have no information at this time whether other browsers are affected. The vulnerability can be exploited by a malicious website to enumerate other sites visited by the user. Users may want to enable”Private Browsing” when visiting untrusted websites.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
This week’s news brings a story from Bloomberg that stolen credit cards are fetching up to $3.50 at online criminal trading sites. A story from Forbes states “In the war being waged for control of enterprise endpoint computers, cybercriminals currently have the upper hand.” Also this week is a warning from US-CERT of an active spear-phishing attack against United Services Automobile Association (USAA) members along with two stories of web sites being compromised to serve up malware to unwary visitors. These stories demonstrate just how dangerous the Internet can be.
Readers should remain on alert to keep safe from attacks by following the following three basic rules:
US-CERT is warning of an active spear-phishing attack via email messages directed at United Services Automobile Association (USAA) members. These messages contain the subject line “Deposit Posted” and contain a randomly generated four-digit number placed in the USAA security zone section. The messages ask users to open an attached file containing malicious software that if activated could provide access to a user’s personal information.
Amnesty International Site Serving Java Exploit: Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers. KrebsOnSecurity, December 23, 2011
Hackers Abuse PHP Setting to Inject Malicious Code Into Websites: Attackers have begun to abuse a special PHP configuration directive in order to insert malicious code into websites hosted on dedicated and virtual private servers (VPS) that have been compromised. PC World, December 23, 2011
China Hackers Hit U.S. Chamber: A group of hackers in China breached the computer defenses of America’s top business-lobbying group and gained access to everything stored on its systems, including information about its three million members, according to several people familiar with the matter. The Wall Street Journal, December 21, 2011
To Stop Cybercrime: Understand Crime Logic, And Adapt: Lockheed Martin, the International Monetary Fund, Sony, Oak Ridge National Laboratory, the European Space Agency, and Abbott Labs all have one thing in common – each of these highly respected companies suffered computer breaches in 2011. These are technology savvy enterprises that use leading security products and have strict security policies and procedures in place. So when it comes to attacks that cause real damage, why are security measures falling short? Security vendors like to blame these breaches on Advanced Persistence Threats or targeted attacks. Creating a different nomenclature does not make up for the fact that the IT security is failing behind. In the war being waged for control of enterprise endpoint computers, cybercriminals currently have the upper hand. Forbes, December 23, 2011
Digital Data on Patients Raises Risk of Breaches: One afternoon last spring, Micky Tripathi received a panicked call from an employee. Someone had broken into his car and stolen his briefcase and company laptop along with it. The New York Times, December 19, 2011
Stolen Credit Cards Go for $3.50 at Amazon-Like Online Bazaar: In mid-September, a European hacker nicknamed Poxxie broke into the computer network of a U.S. company and, he said, grabbed 1,400 credit-card numbers, the account holders’ names and addresses, and the security code that comes with each card. Bloomberg, December 20, 2011
First EU-Report on Maritime Cyber Security: ENISA has published the first EU report ever on cyber security challenges in the Maritime Sector. This principal analysis highlights essential key insights, as well as existing initiatives, as a baseline for cyber security. Finally, high-level recommendations are given for addressing these risks. The Sacramento Bee, December 19, 2011
Iowa Republicans concerned about apparent hacker threat from Anonymous group: Taking seriously an apparent threat from a notorious collective of computer hackers, the Iowa Republican Party is boosting the security of the electronic systems it will use in two weeks to count the first votes of the 2012 presidential campaign. New York Daily News, December 19, 2011
Capitol Hill Sees a Flurry of Cybersecurity Bills to End 2011: Although there has been plenty of news about what Congress has not done in the waning days of 2011, you can’t say that there hasn’t been a focus on cybersecurity. There has been a flurry of activity on Capitol Hill and within federal agencies to develop some sort of cybersecurity plan. IT BusinessEdge, December 19, 2011
HP Plugs Security Hole With LaserJet Firmware Update, Says No Record Of Printers Set Ablaze By Hackers: Remember when researchers claimed a massive security vulnerability could potentially enable hackers to remotely take over Hewlett-Packard LaserJet printers and even cause them to burst into flames? Fun times, for sure. TechCrunch, December 23, 2011
Adobe Reader and Acrobat: Adobe has released Adobe Reader 9.4.7 and Adobe Acrobat 9.4.7 to address the extremely critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11.
Google Chrome 16.0.912.63. Google has updated Chrome to patch at least 15 security vulnerabilities, many of them highly critical.
Java 6 Update 30: Oracle has again updated Java, releasing two updated versions. According to KrebsOnSecurity.com, Oracle has released updates to Java versions 6 and 7, but only the Java 6 Update 30 includes security fixes. Updates are available from the Java console, available through the Windows Control Panel.
Microsoft Patch-Tuesday: Microsoft’s monthly software updates patch more than 18 security holes in Windows and Office, several of them extremely critical. The most talked-about vulnerability fixed in December’s patch batch is the critical flaw we reported in Weekend Vulnerability and Patch Report, November 6. This vulnerability has been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems.
Adobe Flash: The current version is 11.1.102.55 [Warning; see below]
Adobe Reader:The current version is 10.1.1 [Warning; see below]
Apple QuickTime: The current version is 7.71.80.42
Apple Safari: The current version is 5.34.52.7
Google Chrome: The current version is 16.0.912.63 [New update this week]
Internet Explorer: The current update version is IE9.0.8112.16421
Java: The current version is SE 6 Update 30. [New update this week]
Mozilla Firefox: The current version is 8.0.1.
HTC Touch2: Secunia reports a highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer. No patch is available at this time. Users are advised to not open files from untrusted sources.
RSA: RSA has announced updates patching 2 vulnerabilities, one of them highly critical. IT Departments can get more information on these updates here.
Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. We recommend users disable the Flash player in their browsers.
Photoshop Elements: Adobe versions 1 – 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.
Adobe Reader and Acrobat: While Adobe has released Adobe Reader 9.4.7 and Adobe Acrobat 9.4.7 to address the extremely critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11, it doesn’t plan to update Reader X and Acrobat X until its next quarterly update scheduled for January 10, 2012. Until then the vulnerability still remains in Reader X and Acrobat X. Adobe has stated that other security technology in these products makes it more difficult to successfully exploit the vulnerabilities. Nevertheless, we continue to recommend users exercise extreme caution, opening PDF files only from trusted sources. Users may also want to consider alternative PDF readers such as Foxit, PDF-Xchange Viewer or Nitro PDF. See our Cyber Security News of the Week for more information on this vulnerability.
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
Firefox version 7 and Thunderbird version 7: As we reported in Weekend Vulnerability and Patch Report, November 13, 2011, multiple unpatched security vulnerabilities, several of them highly critical, have been reported in version 7 of Firefox and Mozilla. Mozilla recommends users upgrade to version 8.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Office Publisher 2007: A moderately critical vulnerability has been reported in Microsoft Office Publisher. No patch is available at this time. Readers are advised to not use content from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 23, 2011.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
Multiple Browser Vulnerabilities: The non-critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. Affected web browsers include Internet Explorer, Opera, Google Chrome and Firefox. We have no information at this time whether other browsers are affected. The vulnerability can be exploited by a malicious website to enumerate other sites visited by the user. Users may want to enable”Private Browsing” when visiting untrusted websites.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
In another illustration of the cyber dangers of Android-based devices, Google was forced to remove 22 applications from its Android Market after security researchers discovered the applications were infected with malware. The malicious applications posing as popular third-party software such as Angry Birds tricked users into sending premium text messages which then showed up as charges on their phone bills.
We continue to advise readers to be very cautious in downloading Android applications. Applications should be downloaded only from “official” stores and only after they have been ‘vetted’ as legit.
China-Based Hacking of 760 Companies Shows Cyber Cold War: Google Inc. and Intel Corp. were logical targets for China-based hackers, given the solid-gold intellectual property data stored in their computers. An attack by cyber spies on iBahn, a provider of Internet services to hotels, takes some explaining. Bloomberg, December 14, 2011
Government-backed hacker teams do most China-based data theft: As few as 12 different Chinese groups, largely backed or directed by the government there, commit the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts. USA Today, December 12, 2011
The Kindle Fire’s big security problem: Security concerns are giving some consumers another reason to hold off on the Kindle Fire, one of the holiday’s hottest gadgets. The Fire, launched with heaps of hype as a possible competitor to the Apple iPad, is a more inexpensive option for buyers looking for a tablet-like experience in an e-reader. But concerns grew this week over the device’s security. Detroit Free Press, December 14, 2011
NY ID Theft Ring Used Insiders, Gang Members: Authorities in Manhattan today unsealed indictments against 55 people suspected of operating an identity theft and financial fraud ring, including a number of insiders at banks and companies throughout New York who allegedly helped to steal more than $2 million from hundreds of customers and clients. KrebsOnSecurity, December 16, 2011
Ukrainian General Arrested in Cyber Heists: A decorated Ukrainian general was arrested last week in Romania along with two other men suspected of being part of an organized cybercrime gang that laundered at least $1.4 million stolen from U.S. and Italian firms. KrebsOnSecurity, December 16, 2011
Who Knows What Youhavedownloaded.com?: You may have never heard of youhavedownloaded.com, but if you recently grabbed [stole; illegally downloaded] movies, music or software from online file-trading networks, chances are decent that the site has heard of you. In fact, you may find that the titles you downloaded are now listed and publicly searchable at the site, indexed by your Internet address. KrebsOnSecurity, December 12, 2011
Google moves to delete ‘RuFraud’ scam Android apps: Google has removed 22 applications from its Android Market after they were discovered to contain fraudulent software. Apps posing as popular third-party software such as Angry Birds tricked users into sending premium text messages. BBC, December 15, 2011
Android Market has 22 apps pulled by Google to prevent fraudulent charges: Security vendors have tipped off Google to 22 applications that trick users into accepting fraudulent charges. This “SMS toll fraud”, as Lookout Mobile Security has coined it, will trick users into accepting charges via SMS. The applications will appear similar to well-known software gaining trust of the user so the user accepts the ToS and, unfortunately, the hidden charges that come with it. Slashgear, December 13, 2011
Bugs Money: Talk about geek chic. Facebook has started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws. KrebsOnSecurity, December 13, 2011
Preparing In-House Counsel for a New Year of Cybersecurity Threats: As CorpCounsel has discussed on these web pages before, 2011 has been a banner year for cyber attacks on company networks and corporate data breaches involving sensitive customer information. There’s been much discussion of how government and the private sector need to put their heads together on cybersecurity measures, just as laws governing data privacy continue to proliferate around the globe. Law.com, December 15, 2011
Power Grid Cybersecurity: Who’s In Charge? Cybersecurity experts have been murmuring for some time that the United States’ power supply is open to cyberattacks. “If someone were to think about attacking another nation, the first thing they’d do is take out the power grid, since it’s the hub around which other infrastructure spokes revolve,” Patrick Miller, president and CEO of the National Electric Sector Cybersecurity Organization (NESCO), told TechNewsWorld. TechNewsWorld, December 16, 2011
Lungren, King Introduce Cybersecurity Bill to Protect U.S. Critical Infrastructure from Attack: Today, U.S. Rep. Peter T. King (R-NY), Chairman of the Committee on Homeland Security, and seven other Members joined Rep. Dan Lungren (R-CA), Chairman of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, in introducing bipartisan legislation to better secure America’s critical infrastructure, such as the electric grid, financial services systems, and water facilities, from cyberattack. ThePineTree.net, December 15, 2011
Blackberry Tablet OS. Blackberry has released version 1.0.8.6067 to patch a security vulnerability. More information is available from Blackberry’s Advisory.
Foxit Reader: Foxit has released version 5.1.3 to patch a highly critical vulnerability. More information and a link to download the updated version is available from Foxit’s Advisory.
Opera Browser: Opera has released version 11.60 to patch multiple moderately critical vulnerabilities. Users can download the update from Opera’s website.
Adobe Flash: The current version is 11.1.102.55 [Warning; see below]
Adobe Reader:The current version is 10.1.1 [Warning; see below]
Apple QuickTime: The current version is 7.71.80.42
Apple Safari: The current version is 5.34.52.7
Google Chrome: The current version is 15.0.874.121
Internet Explorer: The current update version is IE9.0.8112.16421
Java: The current version is SE 6 Update 29.
Mozilla Firefox: The current version is 8.0.1.
Adobe Flash: Secunia reports that a highly critical vulnerability has been found in the Adobe Flash Player. No patch is available at this time. We recommend users disable the Flash player in their browsers. See our Cyber Security News of the Week for more information on this vulnerability.
Adobe Reader: US-CERT reports that Adobe has released a Security Advisory for Adobe Reader and Acrobat to address an extremely critical vulnerability affecting Adobe Reader. We recommend users exercise extreme caution, opening PDF files only from trusted sources. Users may also want to consider alternative PDF readers such as Foxit, PDF-Xchange Viewer or Nitro PDF. See our Cyber Security News of the Week for more information on this vulnerability.
Multiple Browser Vulnerabilities: Secunia reports a common vulnerability affecting multiple web browsers, including Internet Explorer, Opera, Google Chrome and Firefox. We have no information at this time whether other browsers are affected. The vulnerability can be exploited by a malicious website to enumerate other sites visited by the user. Secunia recommends enabling “Private Browsing” when visiting untrusted websites.
Trend Micro Control Manager: Trend Micro has updated Control Manager to patch a moderately critical vulnerability. More information is available at Trend Micro’s Advisory.
Adobe Photoshop Elements: Adobe versions 1 – 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
Firefox version 7 and Thunderbird version 7: As we reported in Weekend Vulnerability and Patch Report, November 13, 2011, multiple unpatched security vulnerabilities, several of them highly critical, have been reported in version 7 of Firefox and Mozilla. Mozilla recommends users upgrade to version 8.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Office Publisher 2007: A moderately critical vulnerability has been reported in Microsoft Office Publisher. No patch is available at this time. Readers are advised to not use content from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 23, 2011.
Microsoft Windows: As we reported in Weekend Vulnerability and Patch Report, November 6, Microsoft has released a security advisory about a 0-day critical vulnerability in most supported versions of Windows, including Windows XP, Vista and 7. There is no patch at this time. According to Microsoft, for an attack to be successful, a user must open an attachment that is sent in an e-mail message.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.