Adobe Flash Player: Adobe has updated Flash to correct at least seven security vulnerabilities, many of which are highly critical. The current Windows version is 11.1.102.62.  Flash for Androids and other operating systems may have different version numbers.

Adobe Shockwave: Adobe has released Shockwave 11.6.4.634 to patch at least nine security vulnerabilities many of which are highly critical. The update is available from Adobe’s website.

Google Chrome 17.0.963.56: Google has updated its Chrome browser to patch at least 12 vulnerabilities, many of which are highly critical. Chrome can be updated from within the browser.

Microsoft Windows: Microsoft has issued nine security updates to fix at least 21 security vulnerabilities, many of them highly critical. Included in this month’s update is a patch to correct the highly critical vulnerability we first alerted readers to in Weekend Vulnerability and Patch Report, December 25, 2011. Updates are available from the Windows Control Panel.

Mozilla Firefox / Thunderbird / Seamonkey: Mozilla has updated these programs to correct a highly critical vulnerability. Update to Firefox 10.0.2 or 3.6.27, Thunderbird 10.0.2 or 3.1.19, or SeaMonkey 2.7.2.

Oracle Java: Oracle has released Java SE 6 Update 31 and Java 7 Update 3. The updates patch at least 14 security vulnerabilities, many of which are highly critical. Updates can be installed from the Windows Control Panel.

Current Software Versions

Adobe Flash 11.1.102.62 [Warning; see below]

Adobe Reader 10.1.2

Apple QuickTime 7.7.1

Apple Safari 5.1.2  [Warning; see below]

Google Chrome 17.0.963.56

Internet Explorer 9.0.8112.16421

Java SE 6 Update 31

Mozilla Firefox 10.0.2

Newly Announced Unpatched Vulnerabilities

ACDSee 14.x: Secunia reports a highly critical unpatched vulnerability in ACDSee.

Special Advisory Warning

Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.

For Your IT Department

Cisco Advisory: US-CERT has announced that Cisco has released a security advisory for its Nexus products.

Important Unpatched Vulnerabilities

ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12, 2011. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18, 2011.

ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11,2011 remains unpatched. We recommend users disable the Flash player in their browsers or update to the newly-released beta [see above].

Android Browser: Secunia reports a vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

McAfee SaaS: The highly critical vulnerability in McAfee SaaS Endpoint Protection  remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 22, 2012.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched.  Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.

Photoshop Elements: Adobe versions 1 – 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

VLC Media Player: VLC has released an advisory regarding a highly critical unpatched vulnerability in versions 0.9.0 through 1.1.12. VLC has announced that media player 1.1.13 will address the issue. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Dr. Stahl will be a guest on KFWB’s Money 101 with Bob McCormick on Tuesday, February 21 at 10:00 AM. KFWB is at AM980 and on the Internet.

News of the Week Commentary — ISSA-LA Announces Annual Information Security Summit

ISSA of Los Angeles Holds Fourth Annual Information Security Summit on Protecting Businesses from Cybercrime: The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) will hold its fourth annual Information Security Summit on Wednesday, May 16, 2012 at Hilton Universal City Hotel in Los Angeles. The theme of the one-day Summit is The Growing Cyber Threat: Protect Your Business.

Cyber Crime

Report: Chinese hackers breach Nortel networks: Hackers working from China have reportedly had access to Nortel’s networks since breaching the telecommunication company’s networks as far back as 2000. According to a report from the Wall Street Journal, hackers stole seven passwords from Nortel’s top executives, granting them access to reports, business plans, employee e-mails and other documents. Washington Post, February 14, 2012

How Much Have Foreign Hackers Stolen?: Hackers in China and Russia, security experts say, are habitually breaking into foreign travelers’ mobile devices, leapfrogging into their corporate networks and stealing sensitive government information and corporate trade secrets, often undetected. I explored this issue in an article in Saturday’s New York Times. The New York Times, February 14, 2012

Cyber Crime – Social Engineering

Climate change doubter Heartland Institute documents leaked: Earlier this week, the Heartland Institute, a self-described “free-market think tank” that pilloried climate scientists whose stolen emails were released in 2009 as part of the so-called Climategate flap, found itself duped out of several confidential fundraising documents that were then distributed widely over the Internet, offering a glimpse of its priorities. LA Times, February 16, 2012

Hacktivists

Anonymous movement claims attack on U.S. tear gas company: The website of a U.S. company whose tear gas has been used against demonstrators in Egypt is the latest to be broken into by the Anonymous movement, hackers claimed Tuesday. USA Today, February 14, 2012

Cyber Security Management

Conversations On Cybersecurity Part 3: Why You Aren’t Protected: When we last left the attorneys, they had learned who attacked them and why, they had learned how the attackers got into their systems, and they were waiting to learn why the tools that security vendors had sold them didn’t protect their computers against the targeted attacks. Forbes, February 12, 2012

Data breaches put patients at risk for identity theft: Walk into a doctor’s office and chances are that some of your most private information — from your Social Security number to the details of your last cervical exam and your family’s cancer history — is stored electronically. USA Today, February 13, 2012

Smartphone Privacy

10 Steps To Smartphone Privacy: Your smartphone is simultaneously your best friend and your worst enemy. It can help you find the nearest Starbucks for a caffeine fix, reach out to loved ones in times of need, or get the score of that vital play-off game. If it falls into the wrong hands, heck, even if it doesn’t fall into the wrong hands, a smartphone can expose your contacts, location history, banking data, and more. Smartphone privacy was in the news again this week, due to a fresh Google and Apple iPhone privacy flap. Information Week, February 18, 2012

Cyber Privacy

Google hit with FTC complaint, says circumventing Safari privacy features accidental: The Consumer Watchdog advocacy group today asked the Federal Trade Commission to investigate whether Google violated a previous privacy agreement with the FTC by tracking cookies in a way that circumvents default privacy settings in Apple’s Safari browser. ars technica, February 18, 2012

Google sued by Safari user over privacy flap: Google Inc. officials were sued for violating users’ privacy rights on Apple Inc.’s Safari Web browser by bypassing computer settings designed to block monitoring of consumers’ online activity. Washington Post, February 17, 2012

Cyber Security Legislation

Cybersecurity Measure to Boost Companies’ Costs, Lobbyists Say: wo of the largest U.S. business- lobbying groups criticized a Senate cybersecurity bill aimed at shielding vital computer networks, saying the measure would burden companies with unneeded and costly regulation. Bloomberg, February 15, 2012

Cybersecurity bill blocked by top GOP senators: There’s no disagreement on Capitol Hill that more needs to be done to protect the country’s critical infrastructure from potentially devastating cyberattacks. It’s just that lawmakers, particularly in the Senate, can’t agree on how to go about doing it. Politico, February 16, 2012

Napolitano backs Senate cybersecurity bill, industry reporting requirement: Homeland Security Department Secretary Janet Napolitano told lawmakers the White House approves of new Senate computer security legislation that would require critical sectors to report network intrusions to the government. Nextgov, February 16, 2012

Cyber Security Infrastructure

Flaw Found in an Online Encryption Method: A team of European and American mathematicians and cryptographers have discovered an unexpected weakness in the encryption system widely used worldwide for online shopping, banking, e-mail and other Internet services intended to remain private and secure. The New York Times, February 14, 2012

Cyber Security R&D

Genetically-inspired algorithm could improve network security: Computer scientists at Wake Forest University are using a genetically-inspired algorithm that proactively discovers more secure computer network configurations. Wired, February 16, 2012

Adobe Flash 11.2 beta 5: Adobe has released a public beta version of its Flash player software for Firefox that forces the program to run in a heightened security mode or “sandbox” designed to block attacks that target vulnerabilities in the software. The sandboxed Flash beta for Firefox  works with Firefox 4 or later running on Window Vista or Windows 7. The beta is available from Adobe. Brian Krebs at KrebsOnSecurity.com writes “I’ve been using the beta version for nearly two days now without incident on a Windows 7 Firefox 10 install (with Firefox running under Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET). But if you do experience glitches or compatibility issues, you can always revert back to the non-sandboxed version. If you decide to try the beta, make sure to uninstall the current version using Adobe’s Flash uninstaller tool; then grab and install the beta.”

Firefox 10.0.1: Mozilla has released an update to Firefox to patch vulnerabilities. Firefox can be updated from within the program.

Google Chrome 17.0.963.46; Google has updated its Chrome browser to patch at least 20 vulnerabilities, many of which are highly critical. Chrome can be updated from within the browser.

RealPlayer 15.0.2.71: RealPlayer has been updated to patch multiple highly critical security vulnerabilities. RealPlayer can be updated from within the program.

Current Software Versions

Adobe Flash 11.1.102.55 [Warning; see below]

Adobe Reader 10.1.2

Apple QuickTime 7.7.1

Apple Safari 5.1.2  [Warning; see below]

Google Chrome 17.0.963.46

Internet Explorer 9.0.8112.16421

Java SE 6 Update 30

Mozilla Firefox 10.0.1

Newly Announced Unpatched Vulnerabilities

None

Special Advisory Warning

Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.

For Your IT Department

CA Total defense Suite R12 SE3 (Build 831): Computer Associates has released an update to CA Total defense to patch two vulnerabilities.

Important Unpatched Vulnerabilities

ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12, 2011. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18, 2011.

ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11,2011 remains unpatched. We recommend users disable the Flash player in their browsers or update to the newly-released beta [see above].

Android Browser: Secunia reports a vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

McAfee SaaS: The highly critical vulnerability in McAfee SaaS Endpoint Protection  remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 22, 2012.

Microsoft Windows: Secunia reports a highly critical unpatched vulnerability in Windows 7 Professional 64-bit. Other versions may also be affected. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched.  Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.

Photoshop Elements: Adobe versions 1 – 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

VLC Media Player: VLC has released an advisory regarding a highly critical unpatched vulnerability in versions 0.9.0 through 1.1.12. VLC has announced that media player 1.1.13 will address the issue. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

This week’s story by Brian Krebs of KrebsOnSecurity.com that half of Fortune 500s and Government agencies are still infected with the DNSChanger Trojan should serve as a reminder of the critical importance of vulnerability management to all organizations.

The DNSChanger Trojan malware alters an infected computer’s Internet settings to hijack search results and to block victims from visiting security sites that might help scrub the infections. According to Krebs, DNSChanger was frequently bundled with other types of malware, meaning that systems infected with the Trojan often also host other, even more nefarious digital parasites.

Krebs continues: “Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web.”

Management needs to ensure that IT Departments are diligent in removing DNSChanger from infected PCs. Home users can check to see if they are running DNSChanger by following the instructions here.

Warnings

Hackers release source code for Symantec’s PCAnywhere: A group of hackers has released the source code for Symantec’s PCAnywhere product. The public release of the code yesterday came as no surprise as the hackers had been threatening such an action in a series of e-mail negotiations with what they thought were representatives of Symantec. The group, known as Yamatough but operating under the umbrella of Anonymous, had been demanding a $50,000 payoff from Symantec to keep the source code private. Cnet, February 8, 2012

Google Wallet flaws let attackers view card info: A security researcher has found a serious flaw in Google Wallet’s PIN protection that, in seconds, could enable an attacker to view everything in the owner’s digital wallet, including credit card numbers and transaction history. MSNBC, February 10, 2012

Spam Warnings

Hackers Ask ‘Will You Be My Valentine?’: There are only five days to Valentine’s Day. Those of you who are shocked by that revelation are prime targets for Valentine’s Day related spam and phishing attacks as hackers hope to catch you with your guard down for this day of romance. PC World, February 9, 2012

U.S. Tax Season Phishing Scams and Malware Campaigns: US-CERT has received reports of an increased number of phishing scams and malware campaigns that take advantage of the United States tax season. Due to the upcoming tax deadline, US-CERT reminds users to remain cautious when receiving unsolicited email that could be part of a potential phishing scam or malware campaign.These phishing scams and malware campaigns may include, but are not limited to, the following:

• information that refers to a tax refund,
• warnings about unreported or under-reported income,
• offers to assist in filing for a refund, and
• details about fake e-file websites.

Cyber Security Management

Half of Fortune 500s, US Govt. Still Infected with DNSChanger Trojan: More than two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies, new research shows. KrebsOnSecurity, February 9, 2012

Conversations On Cybersecurity: The Trouble With China, Part 1:
A few Sundays ago, two visitors from a large law firm in New York came to my home for conversation. The managing partner and IT partner flew to Washington to talk about what they might do in the aftermath of a troubling visit they had had from the FBI. Forbes, January 31, 2012

Conversations On Cybersecurity: The Trouble With China, Part 2: When we left the attorneys, in the last installment, they were wondering just how the cyber industrial spies had gotten into their computers. Forbes, February 5, 2012

New InformationWeek Reports Research Finds 21% of IT Pros Think Their Encryption Initiatives Are Falling Behind Peers’: SAN FRANCISCO, Feb. 7, 2012 /PRNewswire via COMTEX/ — InformationWeek Reports ( www.reports.informationweek.com ), a service provider for peer-based IT research and analysis, announced the release of its latest research report. Data Encryption: Ushering In a New Era encompasses analysis of results from InformationWeek’s recent 2012 data encryption survey and guides readers in choosing and deploying encryption to support a data-centric security policy. More than 500 business technology professionals responded to this poll. The Wall Street Journal, February 7, 2012

Google Bouncer Won’t Block All Android Malware: Will the newly announced Google Bouncer help the company prevent all fraudulent and malicious apps from sneaking into its Android Market? InformationWeek, February 7, 2012

Traveling Light in a Time of Digital Thievery: SAN FRANCISCO — When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film. The New York Times, February 11, 2012

Internet Badlands

Hackers Have Been Robbing iTunes Customers Since 2010: Lots of iTunes users are receiving refunds after hackers stole their ITunes Store balance with no explanation from Apple on how it happened, reports CNET. Business Insider, February 10, 2012

Critical Infrastructure

Watchdog finds cybersecurity ‘shortcomings’ with stimulus-backed power grid program: A multibillion-dollar stimulus push to modernize the nation’s power grid is raising cybersecurity concerns, as the Department of Energy’s official watchdog reports that dozens of grant recipients came to the table with inadequate security plans. Fox News, February 4, 2012

Home Security

Flaw in Home Security Cameras Exposes Live Feeds to Hackers: A flaw in home security cameras made by Trendnet potentially exposed thousands of customers to hackers who could access the live video feeds without a password. Wired, February 7, 2012

Hacktivists

National hacking spree hits cop sites: The same hackers who brought down the Boston Police Department community website last week kept their promise to launch cyber attacks against a string of government sites yesterday. February 11, 2012

Hackers Have Their Way With Apple Supplier Foxconn: Those mischievous rapscallion hackers have been up to their usual fare, targeting a Chinese supplier infamous both for its deep relationship with Apple and its long history of alleged worker abuses. Daily Tech, February 9, 2012

Cyber Piracy

The Piracy Problem: How Broad?: When Fred Wilson, a prominent New York venture capitalist who has backed Twitter and Zynga, wanted to watch the Knicks game last month, he got an unpleasant surprise. Time Warner Cable was not showing the game because of a contract dispute. The New York Times, February 8, 2012

Cyber Security Legislation

Tax Breaks Considered to Improve Cybersecurity on Vital Networks: Feb. 8 (Bloomberg) — Tax breaks and liability protection may spur banking, energy and telecommunication companies to improve cybersecurity on their computer networks, the chairman of a House technology panel said. BusinessWeek, February 09, 2012

Bigger US role against companies’ cyberthreats?: WASHINGTON – A developing Senate plan that would bolster the government’s ability to regulate the computer security of companies that run critical industries is drawing strong opposition from businesses that say it goes too far and security experts who believe it should have even more teeth. Fox News, February 6, 2012

Senators to introduce long-awaited cybersecurity bill next week: Three senators are expected to introduce a long-awaited cybersecurity bill next week that will overhaul the way the government protects critical networks. Federal Times, February 9, 2012

Security Bills Bruised by Lingering Fight: The ghosts of two doomed antipiracy bills hang over a new and unrelated issue on Capitol Hill: proposed legislation to help secure the nation’s nuclear plants, water systems and other essential infrastructure from hackers and terrorists. The New York Times, February 8, 2012

Cybersecurity Bill Responds to Industry Cost Concerns, Reid Says: Feb. 10 (Bloomberg) — Cybersecurity legislation in the U.S. Senate was designed to avoid unmanageable costs to industry and can be altered in coming weeks, Senate Majority Leader Harry Reid told the nation’s largest business lobbying group. Bloomberg, February 10, 2012

International Cyber Security

EU to Stengthen Its Cybersecurity Watchdog: A push by European authorities to strengthen the European Union’s cybersecurity watchdog has been given a green light by parliamentarians. PC World, February 8, 2012

Inside INTERPOL’s New Cybercrime Innovation Center: INTERPOL, the international policing agency, is opening a massive innovation center in Singapore in 2014. At the center, law enforcement will learn all about the latest cybercrimes… and have access to cutting-edge forensics laboratories and research stations. Fast Company, February 9, 2012

Cyber Comedy

Boston Police Respond to Hackers with Satirical YouTube Video: With rapper KRS-One’s now all-too-familiar “Sound of Da Police” music video intermittently popping up, Boston Police officers satirically discuss the “emotional trauma” they felt after the police department’s website, BPDNews.com,was hacked last Friday, in a light-hearted, video comeback of sorts at the hacking group “Anonymous.” WestRoxburyPatch, February 9, 2012

Apple Mac OS X 10.7.3: Apple has released a security update to Mac OS X to patch several highly critical vulnerabilities. Updates are available through Apple’s website.

HTC Products: HTC has released updates to several of its products to patch a common vulnerability. Updates are available through HTC’s update channel.

Mozilla Firefox 3.6.26 / Thunderbird 3.1.18: Mozilla has released a security update to patch several highly critical vulnerabilities. We first alerted readers to these vulnerabilities in Weekend Vulnerability and Patch Report, January 15, 2012. Updates are available through the programs.

Mozilla Firefox 10.0 /  Thunderbird 10.0: Mozilla has released a security update to patch several highly critical vulnerabilities. We first alerted readers to these vulnerabilities in Weekend Vulnerability and Patch Report, January 15, 2012. Updates are available through the programs.

Mozilla SeaMonkey 2.7: Mozilla has released a security update to patch several highly critical vulnerabilities. Updates are available through the program.

RoboForm 7.7.0: Roboform has updated its popular password management program. The update is available through the program.

Skype 5.8.0.154: Skype has released an update to patch a moderately critical vulnerability. The update is available through the program. [Note: When I tried to update Skype from within the program, Skype reported it was up-to-date. To update Skype, I had to download Skype from Skype's website and re-install the program.]

Current Software Versions

Adobe Flash 11.1.102.55 [Warning; see below]

Adobe Reader 10.1.2

Apple QuickTime 7.7.1

Apple Safari 5.1.2  [Warning; see below]

Google Chrome 16.0.912.77

Internet Explorer 9.0.8112.16421

Java SE 6 Update 30

Mozilla Firefox 10.0

Newly Announced Unpatched Vulnerabilities

None

Special Advisory Warning

Symantec pcAnywhere: As we reported last week in our Cyber Security News of the Week, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.

For Your IT Department

None

Important Unpatched Vulnerabilities

ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12, 2011. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18, 2011.

ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11,2011 remains unpatched. We recommend users disable the Flash player in their browsers.

Android Browser: Secunia reports a vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

McAfee SaaS: The highly critical vulnerability in McAfee SaaS Endpoint Protection  remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 22, 2012.

Microsoft Windows: Secunia reports a highly critical unpatched vulnerability in Windows 7 Professional 64-bit. Other versions may also be affected. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched.  Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.

Photoshop Elements: Adobe versions 1 – 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

VLC Media Player: VLC has released an advisory regarding a highly critical unpatched vulnerability in versions 0.9.0 through 1.1.12. VLC has announced that media player 1.1.13 will address the issue. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

We posted a special blog this week in response to FBI Director Robert Mueller’s testimony to the U.S. House Permanent Select Committee on Intelligence. Mueller stated that he believes “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future.”

Human nature being what it is, cyber crime and hacktivism will get worse before things get better. While we can hope to avoid cybergeddon, we also have to remember that hope is not a strategy. Lest there be any doubt, take a look at the face of Anonymous described in the Huffington Post or any of the other articles we’ve posted recently describing the cyber criminal and hacktivist communities.

As we wrote in our blog, organizations of all types and sizes need to take a hard look at their cyber security management, asking themselves how they can better gather, share, analyze and use cyber information to strengthen their security posture and improve their ability to withstand cyber attacks.

Warnings

Update: Windows Media Player vulnerability: New research from M86 Labs adds further insight on the MIDI exploit first highlighted by Trend Micro last week. InfoSecurity, February 1, 2012

Facebook Malware Scam Takes Hold: A “worrying number” of Facebook users are sharing a link to a malware-laden fake CNN news page reporting the U.S. has attacked Iran and Saudi Arabia, security firm Sophos said Friday. PC World, February 3, 2012

Information at Risk

China-Based Hackers Target Law Firms to Get Secret Deal Data: Jan. 31 (Bloomberg) — China-based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on offices on Toronto’s Bay Street, home of the Canadian law firms handling the deal. Bloomberg, February 3, 2012

Hackers infiltrate domain name auction house: Computer hackers have penetrated the database of Australia’s biggest internet domain name auction house, possibly accessing client home addresses and encrypted credit card numbers. TheAge.com, February 2, 2012

Have 5 Million Android Users Fallen Victim to Malware Attack?: For as long as there has been advertising on the Internet there has been a fuzzy line dividing subterfuge and acceptable tricks to attract clicks. The problem of distinguishing between the legitimate and illegitimate now appears to have extended to smartphone apps as well. The Wall Street Journal, January 30, 2012

Cyber Security Management

Cyber Liability: Do You Need To Safeguard Your Firm Against Cyber Crimes?: It’s no secret that cyber crime is on the rise. From identity theft, to credit card fraud, cyber criminals become more sophisticated by the day. That means that data breaches are skyrocketing and victims of online theft are multiplying exponentially. Furthermore, there is an emerging trend in cyber crime that is slowly starting to make headlines. That being that victims of cyber crimes are no longer just major credit card companies or large businesses. In fact, according to an article published in the Wall Street Journal in July of 2011, a whopping 63% of data breaches occurring in 2010 were at companies with less than 100 employees. Attorney Journal, January 17, 2012

Vulnerability Management — Ray of Sunshine

Google now scanning Android apps for malware: Google has added an automated scanning process that is designed to keep malicious apps out of the Android Market, the company announced today. Cnet, February 2, 2012

Mobile Banking (In)security

Why corporate mobile banking is scary: In its December report on the emergence of corporate mobile banking, Celent wrote that “a slew of new devices, cheaper data plans, and faster networks are upon us. Business mobile users have the opportunity to take advantage of rich and powerful mobile banking services, provided their bank has an offering,” Sound pretty good. But the report, “Corporate Mobile Banking: Revolutionizing Cash Management,” authored by Jacob Jegher, also raises red flags about security. ABA Banking Journal

Our Mobile-Banking Warnings about Security Prove Prophetic: There’s another warning about mobile banking — even the American Bankers Association in this published report: “Why corporate mobile banking is scary.” The banking-industry article explains the difference between corporate and retail mobile banking. Corporate mobile banking is used by high net worth executives. Retail mobile banking refers to use by the masses. The Biz Coach, February 1, 2012 [This article, by our colleague, Terry Corbell, continues to document the challenges of mobile banking security. Dr. Stahl is quoted extensively.]

Identity Theft Protection

Utah attorney general unveils program to combat ID theft targeting children: SALT LAKE CITY — Utah’s attorney general and credit reporting company TransUnion unveiled a program Tuesday that seeks to protect children from identity theft, a growing problem in the U.S. that authorities say is difficult to detect and prosecute. The Republic, January 31, 2012

Hack Journalism

Questions on Hacking for Times of London: LONDON — Questions about illegal computer hacking by The Times of London were raised on Thursday when officials at the judicial inquiry into press ethics said they would recall the paper’s editor for further testimony and the police confirmed that they were investigating an incident in 2009 in which one of the paper’s reporters apparently hacked an e-mail account. The New York Times, February 2, 2012

Keystone Cyber Cops

‘Anonymous’ hackers intercept conversation between FBI and Scotland Yard on how to deal with hackers: The conversation covered updates to on-going court cases, the recent arrest of a 15-year-old for hacking his school website, and even touched on cheese and the merits of Sheffield. The Telegraph, February 3, 2012

Breach Disclosure

VeriSign Hit by Hackers in 2010: Internet giant VeriSign was hacked repeatedly in 2010 resulting in the theft of undisclosed information and raising questions about the integrity of security certificates issued by the company as well as its domain name service. Wired, February 2, 2012

Hactivists

Anonymous And The War Over The Internet: Late in the afternoon of Jan. 19, the U.S. Department of Justice website vanished from the Internet. Anyone attempting to visit it to report a crime or submit a complaint received a message saying the site was unable to load. More websites disappeared in rapid succession. The Recording Industry Association of America. The Motion Picture Association of America. Universal Music. Warner Brothers. The FBI. Huffington Post, January 30, 2012

Anonymous And The War Over The Internet (Part II): If Anonymous spans the moral range between the idealistic revolutionary and the nihilistic imp, Phoenix stands all the way at the idealistic end. His base of operations is a network of chat rooms called AnonOps, which birthed many of the overtly political attacks that have made Anonymous a front-page story during the last two years. Huffington Post, January 31, 2012

Hackers deface website of lawyers for US Marine: Members of the hacker group Anonymous defaced the website on Friday of the law firm that defended a US Marine who faced charges in connection with the 2005 killing of 24 Iraqi civilians. AFP, February 4, 2012

Law enforcement websites under attack by hackers: SALT LAKE CITY – (AP) — Saboteurs stole passwords and sensitive information on tipsters while hacking into the websites of several law enforcement agencies worldwide in attacks attributed to the collective known as Anonymous. Newsday, February 3, 2012

Pro-Palestinian hackers claim to publish details of 26,000 more Israeli credit cards: An international group of hackers claimed Thursday to have published the details of 26,000 credit cards overnight, in the latest addition to a series of cyber attacks between pro-Palestinian and pro-Israeli hackers. Haaretz.com, February 2, 2012

National Cyber Security

FBI Director Says Cyberthreat Will Surpass Threat From Terrorists: Threats from cyber-espionage, computer crime, and attacks on critical infrastructure will surpass terrorism as the number one threat facing the United States, FBI Director Robert Mueller testified today. ABC News, January 31, 2012

FBI: Cyber threat might surpass terror threat: Today, FBI Director Robert Mueller told the U.S. House Permanent Select Committee on Intelligence that he believes “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future. CBS News,  February 2, 2012

Cybersecurity is a ‘team sport’: The federal government possesses cybersecurity threat information and technical capabilities that private enterprises simply do not have. But what is the proper role of the government in the cyber realm? Should it provide cybersecurity for the private sector, or should the government require that the private sector secure its own networks to a particular standard? These topics are currently under great debate in both the House and Senate. The Hill, February 3, 2012

Never Mind…

Symantec recants Android malware claims: Symantec has backtracked from assertions last week that 13 Android apps distributed by Google’s Android Market were malicious, and now says that the code in question comes from an aggressive ad network that provides revenue to the smartphone programs. Computer World, February 1, 2012

It is not just our sensitive information that is threatened. The Internet itself is threatened … and extremely vulnerable. In the last several weeks, we’ve seen successful Distributed Denial of Service (DDoS) attacks against banks, governments, law enforcement and the entertainment industry. We’ve seen Israeli and Palestinian cyber-vigilantes launch DDos attacks against each others web sites. What happens when  radical organizations discover they can launch a DDoS attack against their enemies? We should not be surprised to see the Internet become a battleground in America’s culture wars.

In his testimony, Mueller recommended that we need to become better at gathering, sharing, analyzing and using cyber information, offering several specific suggestions to the Committee for needed changes at the Bureau, throughout government and in new legislation.

His recommendation apply as well to individual organizations, as our work with clients continue to demonstrate. Every organization with sensitive information needs to continually ask itself: Are we gathering the information we need to understand our cyber threat and the quality of our cyber defenses? Are we effectively analyzing this information, using it to better secure our information? Are we sharing it with the necessary parties? In particular, is management getting the information they need to proactively manage information risk?

One highly critical defensive measure, for example, is to rigorously keep software patched. One of the easiest ways for a cyber criminal to take control of a computer is to exploit a vulnerability in unpatched software. That’s why we publish our Weekend Patch and Vulnerability Report, alerting readers to major patches.

Patching needs to be on the Weekly Must-Do list of every IT Department and IT vendor. Yet, when we assess the patch levels of organizations, we are not surprised to often see more than 100 unpatched vulnerabilities on desktops. Does IT gather vulnerability information? Do they analyze it, taking appropriate action to keep vulnerabilities to a minimum? Is it shared with Senior Management? Does Senior Management know that IT must patch vulnerabilities to comply with laws like HIPAA HITECH or contractual obligations like the Payment Card Industry’s Data Security Standard? Does Senior Management regularly monitor “weekly vulnerability trends?”

Mueller’s recommendation that we become better at gathering, sharing, analyzing and using cyber information apply to our communities as well. That’s what led our Los Angeles ISSA Chapter to launch our Community Outreach Program 5 years ago. It’s our mission to be the premier catalyst and information source in Los Angeles for improving the practice of information security. It’s the genesis of our tag: It Takes the Village to Secure the Village. ^SM   It’s the orientation of our newly designed website. And it’s the focus of our forthcoming Fourth Information Security Summit, being held May 16, 2012 at the Universal Hilton Hotel.

Human nature being what it is, cyber crime and hacktivism will likely get worse before things get better. While we can hope to avoid cybergeddon, we also have to remember that hope is not a strategy.

Google Chrome 16.0.912.77: Google has released an update to patch several highly critical vulnerabilities. Updates are available through the program.

Symantec pcAnywhere 12.x: Symantec has released hotfixes to patch several moderately critical vulnerabilities in pcAnywhere. Information on applying these hotfixes is available from Symantec in notes TECH179526 and TECH 179960. WARNING: Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code. See our Cyber Security News of the Week for more information.

Current Software Versions

Adobe Flash 11.1.102.55 [Warning; see below]

Adobe Reader 10.1.2

Apple QuickTime 7.7.1

Apple Safari 5.1.2  [Warning; see below]

Google Chrome 16.0.912.77

Internet Explorer 9.0.8112.16421

Java SE 6 Update 30

Mozilla Firefox 9.0.1 [Warning; see below]

Newly Announced Unpatched Vulnerabilities

None

For Your IT Department

Symantec’s warning this week to users to disable PCAnywhere following the theft of its source code stands in contrast to the company’s assurances a few weeks ago that the theft of its source code posed little risk to users. [See Cyber Security News of the Week, January 8, 2012.]

At issue is the responsibility information security vendors have to their customers when the vendor’s products may be exposing customers to risk. It’s common for a company to circle the wagons and fall into a protective mode when bad news comes out. The strategy is usually a losing one as the bad news comes out eventually and the company ends up with egg on its face. So, from the company’s own perspective, the right strategy is often to own up to the problem from the start.

In cases of security the situation also carries moral and ethical implications. Twenty years ago when Tylenol was confronted with the death of several people after someone put poison in it products, Tylenol immediately removed the product from stores across the country and launched a public relations campaign to warn users.

The loss of information is not the same as the loss of lives, but don’t those of us in the business of protecting the sensitive information of our clients and customers have the same ethical and moral obligation to warn our users immediately?

Vulnerability Alert

Symantec: Anonymous stole source code, users should disable pcAnywhere: Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. ars technica, January 26, 2012

Cyber Crime – Online Bank Theft

Hackers tap Salem Co. account for $19,000: Computer hackers have broken in and stolen approximately $19,000 by way of an illegal wire transfer from a Salem County bank account that held more than $13 million in funds. nj.com, January 22, 2012

Internet Badlands

Hackers-for-Hire Are Easy to Find: Sitting in his Los Angeles home, Kuwaiti billionaire Bassam Alghanim received an alarming call from a business associate: Hundreds of his personal emails were posted online for anyone to see. The Wall Street Journal, January 23, 2012

Cyber Security Management

Cameras May Open Up the Board Room to Hackers: One afternoon this month, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment. The New York Times, January 23, 2012

Healthcare Privacy – National Dialogue

Should Every Patient Have a Unique ID Number for All Medical Records?: As the U.S. invests billions of dollars to convert from paper-based medical records to electronic ones, has the time come to offer everyone a unique health-care identification number? The Wall Street Journal, January 23, 2012

Cyber War – The Middle East

Pro-Palestinian hackers bring down Haaretz Hebrew website: Pro-Palestinian hackers brought down Haaretz’s Hebrew website on Wednesday, after several Israeli websites were targeted earlier in the day. January 25, 2012

Privacy Rights – European Union

EU Data-Privacy Overhaul Gives Consumers More Control: The European Commission on Wednesday proposed an overhaul to its data protection laws, which will provide users with more control over their data and make the process of monitoring data security less complex for agencies across the EU. PC Magazine, January 25, 2012

Ray of Sunshine

FileSonic disables file sharing in wake of MegaUpload arrests: Following the MegaUpload shutdown and indictments last week, FileSonic, one of the Internet’s most popular file-sharing services, has disabled its sharing functionality. Cnet, January 22, 2012

New Web Piracy Arrest as Site Founder Is Denied Bail: THE HAGUE, Netherlands — An Estonian citizen was arrested by Dutch police at the request of American authorities investigating the file-sharing Web site Megaupload, a prosecutor’s office spokeswoman said Wednesday. January 25, 2012

Adobe Reader and Acrobat 10.1.2: Adobe has released an update to patch several highly critical vulnerabilities. For users who cannot upgrade to version X, Adobe has also released version 9.5. Updates are available through the program. 

Apple iTunes 10.5.3: Apple has released an update to patch several minor issues, including security.

Current Software Versions

Adobe Flash 11.1.102.55 [Warning; see below]

Adobe Reader 10.1.2

Apple QuickTime 7.7.1

Apple Safari 5.1.2  [Warning; see below]

Google Chrome 16.0.912.75

Internet Explorer 9.0.8112.16421

Java SE 6 Update 30

Mozilla Firefox 9.0.1 [Warning; see below]

Newly Announced Unpatched Vulnerabilities

McAfee SaaS: Secunia reports a highly critical vulnerability in McAfee SaaS Endpoint Protection. No patch is available at this time.

For Your IT Department