-
See the Archives
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- February 2009
-
Filter by Category
- Business at risk
- Citadel in the news
- Citadel Information Security Guides
- Citadel: Guide to Blog
- Citadel: Thinking about Security
- Cloud Security
- Combatting Cybercrime
- Consumers at risk
- Cost of Cybercrime
- Cost of Piracy
- Credit card fraud
- Culture Change
- cyber security learning community
- Cyber Security Management
- Cyber War
- events
- Financial systems security
- Future of Cyberspace
- Healthcare
- Identity theft
- Information at Risk
- Insurance
- Internet badlands
- ISSA-LA
- Law Firms
- Legal
- Miscellany
- mobile banking
- mobile internet
- Mobile Security
- national security
- Not-for-Profit
- Online Privacy
- OWASP
- Privacy Matters
- Ray of Sunshine
- School security
- Security Alert: Vulnerability Management
- Security management
- Security Research
- Security Surveys
- Social Engineering
- Social networks
- Virtual Currency
Weekend Vulnerability and Patch Report, May 13, 2012
Important Security Updates
Adobe Flash Player: Adobe has released version 11.2.202.235 to fix an extremely critical vulnerability. Updates are available from Adobe’s website.
Adobe Illustrator: Adobe has released version CS6 to fix 5 highly critical vulnerabilities. Updates are available from Adobe’s website.
Adobe Flash Professional: Adobe has released version CS6 to fix a highly critical vulnerability. Updates are available from Adobe’s website.
Adobe Shockwave Player: Adobe has released version 11.6.5.635 to fix 5 highly critical vulnerabilities. Updates are available from Adobe’s website.
Apple iOS: Apple has released iOS 5.1.1 for iPhone, iPod, iPad, and iPad 2 to fix several vulnerabilities, several of which are highly critical. The update is available through Apple’s website. We first alerted readers to one of these vulnerabilities in Weekend Vulnerability and Patch Report, March 25, 2012.
Apple Mac OS X: Apple has released updates for OS X Lion v10.7.4 to fix 36 vulnerabilities, many of which are highly critical. The updates are available through the programs or from Apple’s download site.
Microsoft Patch-Tuesday: Microsoft has released 7 updates to fix at least 23 vulnerabilities, many of which are highly critical. Updates include Windows Vista, XP Pro and Microsoft Office Suite. Updates are available through the Window’s Control Panel.
Current Software Versions
Adobe Flash 11.2.202.235
Adobe Reader 10.1.3
Apple QuickTime 7.7.1
Apple Safari 5.1.7 [Warning; see below]
Google Chrome 18.0.1025.168
Internet Explorer 9.0.8112.16421
Java SE 6 Update 31 [Java is a major source of cyber criminal exploits. Java is not needed for most internet browsing. Consider removing or disabling it if you don't need it. ]
Mozilla Firefox 12.0
Newly Announced Unpatched Vulnerabilities
Adobe Flash Professional: Adobe has released version CS6 to fix several highly critical unpatched vulnerabilities in version CS5 of Adobe Flash Professional. Updates are available from Adobe’s website.
Adobe Illustrator: Adobe has released version CS6 to fix 5 highly critical unpatched vulnerabilities in version CS5 of Adobe Illustrator. Updates are available from Adobe’s website.
For Your IT Department
Cisco Unified MeetingPlace: Secunia reports a vulnerability in Cisco’s Unified MeetingPlace, version 6.x. Update to version 6.1.1.4 (MR1).
Cisco Unified MeetingPlace: Secunia reports a vulnerability in Cisco’s Unified MeetingPlace, version 7.x. Update to version 7.1.2.6 (MR1).
CiscoWorks Prime LAN Management : Secunia reports 2 moderately critical vulnerabilities in CiscoWork’s Prime LAN Management. Update to version 4.2.
Cisco Secure ACS: Secunia reports 2 moderately critical vulnerabilities in Cisco’s Secure ACS. Update to version 5.2.0.26 patch 9.
IBM OS/400: Secunia reports highly critical vulnerabilities in IBM’s OS/400 in version V6R1M0. Apply patch 5733SC1.
Symantec Web Gateway: Secunia reports an unpatched vulnerability in Symantec’s Web Gateway version 5.0.2.8. Other versions may also be affected. See Secunia advisory for workaround.
Important Unpatched Vulnerabilities
ACDSee 14.x: Secunia reports a highly critical unpatched vulnerability in ACDSee. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 19, 2012.
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12, 2011. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18, 2011.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Adobe Photoshop: Secunia reports a highly critical vulnerability in Adobe’s Photoshop version 12.1. Other versions may also be affected. Adobe warns not to open untrusted TIFF images. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 25, 2012.
Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Apple Safari: Secunia reports a moderately critical vulnerability in Apple’s Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe Flash plug-ins. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 11, 2012.
Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
CA ARCserve Backup: Secunia reports a less critical vulnerability in CA’s ARCserver Backup in versions 12.0, 12.5, 15, and 16. CA provides a partial fix solution and advises updating to a fixed version. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 25, 2012.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.
HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.
McAfee SaaS: The highly critical vulnerability in McAfee SaaS Endpoint Protection remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 22, 2012.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.
If you are responsible for the security of your computer, our weekly report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Cyber Security News of the Week, May 13, 2012
Cyber Security Commentary — ISSA-LA 4th Annual Information Security Summit
Join us on May 16 for ISSA-LA’s 4th Annual Information Security Summit. Keynote addresses by Alan Paller of the SANS Institute, DHS’ Bruce McConnell and business coach Chris Coffey. Perfect for business, technology and information security leaders. Nonprofits can attend for free by taking advantage of ISSA-LA’s special scholarship fund. Email vp@issa-la.org for more information.
The ISSA Summit provides business leaders with a concentrated, thought-provoking, and valuable education in the nature of these threats, and how organizations can and should mitigate their risks from today’s cyber threats. I highly recommend that executives take advantage of this annual event.
Eric Schwab
General Manager
GFI Software
Visit the ISSA-LA Summit Website for more information or to register.
Cyber Crime
Hackers target Twitter spammers in massive account data breach: Summary: A massive breach has led to more than 55,000 Twitter accounts being published on the Web. But it appears the hackers may have targeted spammers over ordinary users. Twitter is investigating after 55,000 account details — including username and password combinations — were published online. ZDNet, May 8, 2012
Hackers breach UMaine servers. Affected students made purchases at computer store: A University of Maine computer server breach by hackers may have exposed personal information, including credit card and Social Security numbers of students, college officials said Thursday. Morning Sentinel, May 12, 2012
Cyber Hacktivists
Activist hackers temporarily block Putin’s website: Hackers temporarily blocked President Vladimir Putin’s web site on Wednesday, carrying out a promise to disrupt government information portals two days after his swearing-in for another six-year term that has drawn street protests. Reuters, May 9, 2012
Cyber Risk
Is Your Cloud Provider Exposing Remnants of Your Data?: CIO – If your organization uses a multi-tenant managed hosting service or Infrastructure as a Service (IaaS) cloud for some or all of your data and you aren’t following best practices by encrypting that data you may be inadvertently exposing it. ComputerWorld, May 10, 2012
FBI: Updates Over Public ‘Net Access = Bad Idea: The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms. KrebsOnSecurity, May 11, 2012
DHS: Hackers Mounting Organized Cyber Attack on U.S. Gas Pipelines: For the past six months, an unidentified group of hackers has been mounting an ongoing, coordinated cyber attack on the control systems of U.S. gas pipelines, prompting the Department of Homeland Security to issue alerts. ABC News, May 8, 2012
At the Crossroads of eThieves and Cyberspies: Lost in the annals of campy commercials from the 1980s is a series of ads that featured improbable scenes between two young people (usually of the opposite sex) who always somehow caused the inadvertent collision of peanut butter and chocolate. After the mishap, one would complain, “Hey you got your chocolate in my peanut butter!,” and the other would shout, “You got your peanut butter in my chocolate!” The youngsters would then sample the product of their happy accident and be amazed to find someone had already combined the two flavors into a sweet and salty treat that is commercially available. KrebsOnSecurity, May 8, 2012
Financial Malware Tricks Users With Claims of Free Credit Card Fraud Insurance: A piece of financial malware called Tatanga attempts to trick online banking users into authorizing rogue money transfers from their accounts as part of the activation procedure for a free credit-card fraud insurance service purportedly provided by their banks, security researchers from Trusteer said Tuesday. IDG News, May 8, 2012
Hackers Gain Access to Homes Through Webcams: Internet users are becoming vulnerable to hackers who can infiltrate software and gain access to webcams. “The main thing to worry about is when software is able to turn on your camera without notifying you, without the user explicitly turning it on, that’s the main issue,” said Feross Aboukhadijeh, a student at Stanford University in California. Information Week, May 9, 2012
Cyber Security Management
HIPAA/HiTECH – Changes on the Way for Covered Providers: The privacy and security landscape for covered providers will soon be changing. A number of rules are finally making their way through the system in relationship to HIPAA, HiTECH and Stage II Meaningful Use. JDSupra, May 9, 2012
Securing the Village
Pentagon to expand cybersecurity program for defense contractors: The Pentagon is expanding and making permanent a trial program that teams the government with Internet service providers to protect defense firms’ computer networks against data theft by foreign adversaries. Washington Post, May 11, 2012
Identity-Theft Victims Given Short Shrift by IRS, Says Watchdog: J. Russell George, the Treasury Inspector General for Tax Administration, or Tigta—an official IRS watchdog—today told a Congressional oversight committee that the Internal Revenue Service gives “confusing and often conflicting instructions” to taxpayers who are victims of identity theft. IRS Deputy Commissioner Steven Miller gave testimony before the committee as well. Wall Street Journal, May 8, 2012
FBI Fears Bitcoin’s Popularity with Criminals: The FBI sees the anonymous Bitcoin payment network as an alarming haven for money laundering and other criminal activity — including as a tool for hackers to rip off fellow Bitcoin users. … That’s according to a new FBI internal report that leaked to the internet this week, which expresses concern about the difficulty of tracking the identify of anonymous Bitcoin users, while also unintentionally providing tips for Bitcoin users to remain more anonymous. Wired, May 9, 2012
Cyber Defenders
Cybersecurity Firms Ditch Defense, Learn To ‘Hunt’: The most challenging cyberattacks these days come from China and target Western firms’ trade secrets and intellectual property. But a problem for some is a business opportunity for others: It’s boom time for cybersecurity firms that specialize in going after Chinese hackers. NPR May 10, 2012
Cyber Research
Cybersecurity Experts Begin Investigation on Self-Adapting Computer Network That Defends Itself Against Hackers: In the online struggle for network security, Kansas State University cybersecurity experts are adding an ally to the security force: the computer network itself. Newswise, May 10, 2012
Weekend Vulnerability and Patch Report, May 6, 2012
Important Security Updates
Adobe Flash Player: Adobe has released version 11.2.202.235 to fix several highly critical vulnerabilities, including an active zero day vulnerability. Updates are available from Adobe’s website.
Adobe Flash Player for Android: Adobe has released updates for the Android mobile device to fix several highly critical vulnerabilities. Updates are available through the Android device.
Google Chrome: Google has released version 18.0.1025.168 to fix at least 5 vulnerabilities, several of which are highly critical. The update is available through the program.
WinZip: WinZip has released version 16.5 (10095) of the WinZip software to fix a vulnerability. Update from within the program. Note: This month marks the end of support to WinZip’s version 12.0. The support for all versions prior to 12.0 have also expired.
Current Software Versions
Adobe Flash 11.2.202.235
Adobe Reader 10.1.3
Apple QuickTime 7.7.1
Apple Safari 5.1.5 [Warning; see below]
Google Chrome 18.0.1025.168
Internet Explorer 9.0.8112.16421
Java SE 6 Update 31 [Java is a major source of cyber criminal exploits. Java is not needed for most internet browsing. Consider removing or disabling it if you don't need it. ]
Mozilla Firefox 12.0
Newly Announced Unpatched Vulnerabilities
None
For Your IT Department
Citrix: Secunia reports a moderately critical vulnerability in Citrix’s Provisioning Services in versions 5.x and 6.x. Apply the hotfix or service pack.
HP Systems Insight Manager: Secunia reports at least 65 vulnerabilities, many of which are highly critical, in HP Systems’ Insight Manager in versions prior to 7.0. Update to version 7.0
McAfee Virtual Technician: Secunia reports a highly critical vulnerability in McAfee’s Virtual Technician in version 6.3.0.1911. Other versions may also be affected. Set the kill-bit for the affected ActiveX control.
VMWare ESX Server: Secunia reports vulnerabilities in VMWare’s ESX Server. Update to a fixed version. See VMWare’s advisory for details.
Important Unpatched Vulnerabilities
ACDSee 14.x: Secunia reports a highly critical unpatched vulnerability in ACDSee. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 19, 2012.
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12, 2011. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18, 2011.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Adobe Photoshop: Secunia reports a highly critical vulnerability in Adobe’s Photoshop version 12.1. Other versions may also be affected. Adobe warns not to open untrusted TIFF images. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 25, 2012.
Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Apple iOS Safari: Secunia reports a less critical vulnerability in Apple’s iOS version 5.1 (9B176) on iPhone 4 and 4th generation iPod touch. Other versions and devices may also be affected. Apple warns not to navigate to sensitive pages via untrusted web pages. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 25, 2012.
Apple Safari: Secunia reports a moderately critical vulnerability in Apple’s Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe Flash plug-ins. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 11, 2012.
Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
CA ARCserve Backup: Secunia reports a less critical vulnerability in CA’s ARCserver Backup in versions 12.0, 12.5, 15, and 16. CA provides a partial fix solution and advises updating to a fixed version. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 25, 2012.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.
HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.
McAfee SaaS: The highly critical vulnerability in McAfee SaaS Endpoint Protection remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 22, 2012.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.
If you are responsible for the security of your computer, our weekly report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Cyber Security News of the Week, May 6, 2012
Cyber Security Commentary — ISSA-LA 4th Annual Information Security Summit
Join us on May 16 for ISSA-LA’s 4th Annual Information Security Summit. Keynote addresses by Alan Paller of the SANS Institute, DHS’ Bruce McConnell and business coach Chris Coffey. Perfect for business, technology and information security leaders. Nonprofits can attend for free by taking advantage of ISSA-LA’s special scholarship fund. Email vp@issa-la.org for more information
I recommend the Summit to both the CIO and their staff because it’s the one day you can count on to get informed, learn how to stay informed, and build a network of strong security professionals who are passionate about supporting the “neighborhood watch” of information security.
Jennifer Terrill, CISSP
Vice President Information Technology / CISO
True Religion Brand Jeans
Visit the ISSA-LA Summit Website for more information or to register.
Cyber Crime
Hackers Blackmail Belgian Bank With Threats to Publish Customer Data: Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank does not pay €150,000 (US$197,000) before Friday, May 4, they said in a statement posted to Pastebin. Elantis confirmed the data breach on Thursday, but the bank said it will not give in to extortion threats. PC World, May 3, 2012
Global Payments Breach Window Expands: A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012. KrebsOnSecurity, May 4, 2012
Cyber Crime – HIPAA
SC inspector general analyzing security processes following theft of Medicaid information: COLUMBIA, S.C. — South Carolina’s inspector general is reviewing the security systems of state agencies following the theft of more than 228,000 Medicaid patients’ personal information, Gov. Nikki Haley said Monday. The Republic, April 30, 2012
Cyber Hacktivists
Hackers plan attack on Russian government sites: The activist hacker group Anonymous said on Friday it planned to attack Russian government websites in order to support opposition protests ahead of Vladimir Putin’s inauguration as president. Reuters, May 4, 2012
Cyber Privacy
How to Muddy Your Tracks on the Internet: Legal and technology researchers estimate that it would take about a month for Internet users to read the privacy policies of all the Web sites they visit in a year. So in the interest of time, here is the deal: You know that dream where you suddenly realize you’re stark naked? You’re living it whenever you open your browser. The New York Times, May 3, 2012
Cyber Risk
Processor Warns of Hacking Trend: Over the past year, First Data, the largest payments processor in the U.S., has seen an uptick in “trolling” – hackers sniffing networks for remote access into point-of-sale systems that are open or loosely protected. BankInfoSecurity, April 30, 2012
Fears of spying hinder U.S. license for China Mobile: WASHINGTON — Concerned about possible cyber spying, U.S. national security officials are debating whether to take the unprecedented step of recommending that a Chinese government-owned mobile phone giant be denied a license to offer international service to American customers. LA Times, May 5, 2012
Malware for Macs Lucrative, Security Researchers Say: Last month, cybercriminals embarked on what quickly became one of the largest-scale malware attacks on Apple computers to date. Their motive was financial: security researchers now estimate that the infected computers made the malware’s creators $10,000 a day. The New York Times, May 1, 2012
Cyber Threat
Android Apps Slurp Excessive Data: More than one-third of Android apps request “excessive permissions,” giving them access to more data than they require. InformationWeek, May 1, 2012
Snow Leopard hit hardest by Flashback malware: Russian security company Dr. Web recently analyzed one of the latest known variants of the Flashback malware for OS X, and in doing so revealed some interesting statistics regarding the infection rates of the malware — which, by some perspectives, counters criticism of Apple’s lapse in attention to security on OS X. Cnet, April 30, 2012
6 Discoveries That Prove Mobile Malware’s Mettle: Mobile malware hasn’t yet grown to the problematic levels that once plagued Windows PCs back in the days before Trustworthy Computing. That doesn’t mean mobile vulnerabilities aren’t exploitable, though: Today’s security researchers are not only creating and discovering proof-of-concept examples with real-world applicability, but they’re finding in-the-wild samples, too. Dark Reading, May 3, 2012
Cyber Vulnerability
The 10 worst Web application-logic flaws that hackers love to abuse: Hackers are always hunting to find business-logic flaws, especially on the Web, in order to exploit weaknesses in online ordering and other processes. NT OBJECTives, which validates Web application security, says these are the top 10 business-logic flaws they see all the time. NetworkWorld, May 3, 2012
Mac Malware Targeting Unpatched Office Running on OS X: Microsoft is reporting that malware is exploiting unpatched versions of its Microsoft Office Word 2000 suite to compromise Apple Macintoshes running Snow Leopard or earlier versions of Mac OS X. eWeek, May 2, 2012
Adobe warns: Flash Player malware hitting IE on Windows users: Adobe has shipped an extremely urgent Flash Player patch to block in-the-wild malware attacks against Windows users. ZDNet, May 4, 2012
Cyber Security Management
8 Reasons Conficker Malware Won’t Die: Obstinate. That’s how Microsoft has labeled Conficker, which, despite being three years old and targeted for eradication, continues to survive–and even thrive–in corporate networks. InformationWeek, April 30, 2012
Vulnerability Management
Hackers’ Favorite Target Last Year Was a Blast From the Past: If you need more proof that users are a weak link in computer security, look no further than today’s report from Symantec, which showed that hackers’ favorite target in 2011 was a security hole fixed about four years ago. Bloomberg, April 30, 2012
Securing the Village
For Stronger IT Security, Build Relationships, Not Walls: Security leaders put up walls. Firewalls, barriers to entry, ways to control the flow of information. It’s what we do. But ironically, to do a better job of protecting our enterprises, we’ve got to become more open and collaborative. Forbes, May 4, 2012
Cyber Career
Hottest IT Skill? Cybersecurity: Embattled by hactivists, cybercriminals and foreign rivals seeking to steal proprietary information, U.S. corporations are ramping up their hiring of cybersecurity experts, with open jobs reaching an all-time high in April. PC World, May 3, 2012
Cyber Crime Busters
Microsoft says raid damaged cybercrime operation: BALTIMORE – Microsoft and the banking industry Monday provided a detailed, behind-the-scenes account of an operation they said disrupted a major cybercrime operation that used malicious software to allegedly steal $100 million from consumers over the last five years. Fox News, April 30, 2012
Cyber Expose
Flashback malware exposes big gaps in Apple security response: A pair of high-profile malware attacks have given Apple a crash course in security response. Based on recent actions, 70 million current Mac owners have a right to expect much more from Apple than they’re getting today. ZDNet, April 29, 2012
Weekend Vulnerability and Patch Report, April 29, 2012
Important Security Updates
Mozilla Firefox / Thunderbird: Mozilla has released Firefox version 12.0 and Thunderbird version12.0 to correct many highly critical vulnerabilities. Updates are available through the program.
Mozilla Firefox Mobile for Android: Mozilla has released Firefox Mobile version 10.0.4 to correct many highly critical vulnerabilities. Updates are available through the Android device.
Current Software Versions
Adobe Flash 11.2.202.233
Adobe Reader 10.1.3
Apple QuickTime 7.7.1
Apple Safari 5.1.5 [Warning; see below]
Google Chrome 18.0.1025.162
Internet Explorer 9.0.8112.16421
Java SE 6 Update 31 [Java is a major source of cyber criminal exploits. Java is not needed for most internet browsing. Consider removing or disabling it if you don't need it. ]
Mozilla Firefox 12.0
Newly Announced Unpatched Vulnerabilities
None
For Your IT Department
DNSChanger Malware: US-CERT encourages users and administrators to ensure their systems are not infected with the DNSChanger malware by utilizing tools and resources available at the DNS Changer Working Group (DCWG) website. Computers testing positive for infection of DNSChanger malware will need to be cleaned of the malware in order to maintain continued internet connectivity beyond July 9, 2012.
VMWare ESX Server: Secunia reports vulnerabilities in VMWare’s ESX Server in versions 4.1 and 4.0, many of which are highly critical. VMWare provides a partial fix solution and advises updating to a fixed version.
WordPress Vulnerabilities: Several vulnerabilities have been found in WordPress and WordPress Plugins. More information is available from Secunia.
Important Unpatched Vulnerabilities
ACDSee 14.x: Secunia reports a highly critical unpatched vulnerability in ACDSee. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 19, 2012.
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12, 2011. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18, 2011.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Adobe Photoshop: Secunia reports a highly critical vulnerability in Adobe’s Photoshop version 12.1. Other versions may also be affected. Adobe warns not to open untrusted TIFF images. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 25, 2012.
Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Apple iOS Safari: Secunia reports a less critical vulnerability in Apple’s iOS version 5.1 (9B176) on iPhone 4 and 4th generation iPod touch. Other versions and devices may also be affected. Apple warns not to navigate to sensitive pages via untrusted web pages. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 25, 2012.
Apple Safari: Secunia reports a moderately critical vulnerability in Apple’s Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe Flash plug-ins. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 11, 2012.
Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
CA ARCserve Backup: Secunia reports a less critical vulnerability in CA’s ARCserver Backup in versions 12.0, 12.5, 15, and 16. CA provides a partial fix solution and advises updating to a fixed version. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 25, 2012.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.
HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.
McAfee SaaS: The highly critical vulnerability in McAfee SaaS Endpoint Protection remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 22, 2012.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.
If you are responsible for the security of your computer, our weekly report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.