WEEKEND VULNERABILITY AND PATCH REPORT

February 24, 2013

The following software vulnerabilities and updates were announced by Citadel Information Group.  They strongly recommend that readers update their computers and take other action as indicated.  This is from an e-mail received from Stan Stahl, Ph.D. [www.citadel-information.com] and posted with his approval.

Important Security Updates

Adobe Reader: Adobe has released version 11.0.02 for its Reader. Adobe has also released an update for Adobe Acrobat. Updates are available from within the program or Adobe's website.

Apple iOS: Apple has released version 6.1.2 to update its operating system for iPhones. Updates are available through the iPhones.

Apple iTunes: Apple has released version 11.0.2 of iTunes. Updates are available through iTunes or Apple's website.

Apple OS X Java: Apple has released Mac OS X 10.6 Update 13 for Java version SE 6 to 1.6.0_41. Updates are available from Apple's website.

Google Chrome: Google has released an update to Chrome to fix at least 22 highly critical vulnerabilities. Update to version 25.0.1364.97 for Windows and 25.0.1364.99 for Macs either through the program or from Chrome's website.

Mozilla Firefox: Mozilla has released version 19.0 of Firefox to fix at least 14 highly critical vulnerabilities. Updates are available through Firefox. Updates are also available for Thunderbird and SeaMonkey.

Oracle Java: Oracle has released Java 7 Update 15 to fix at least 5 highly critical vulnerabilities. Updates are available from Java's website.

Current Software Versions

Adobe Flash 11.6.602.168 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.6.602.167 [Windows 8: IE]

Adobe Flash 11.6.602.167 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.01

Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 19.0 [Windows]

Google Chrome 25.0.1364.97

Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]

Internet Explorer 10.0.9200.16484 [Windows 8: IE]

Java SE 7 Update 15 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser - such as Chrome, IE9, Safari, etc - with Java enabled to browse only the sites that require it.]

QuickTime 7.7.3 (1680.64)

Safari 5.1.7  [Windows, See warning below]

Safari 6.0.2 [Mac OS X]

Skype 6.2.0.106

For Your IT Department

VMWare Multiple Products: VMWare has released updates for multiple products to fix at least 32 vulnerabilities, some of which are highly critical. Apply appropriate updates.  

 

Important Unpatched Vulnerabilities

Adobe Shockwave Player: Secunia reports at least two highly critical vulnerabilities in Adobe's Shockwave Player. No patches are available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 17, 2013.

Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

AOL downloadUpdater2 Firefox Plugin: Secunia reports a highly critical vulnerability in version 1.3.0.0. Other versions may also be affected. No solution is currently available. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 12, 2012.

Apple iOS for iPhone: Secunia and The Verge both report a weakness in Apple's iOS for iPhone 3GS and later that would allow someone with physical access to bypass the lock screen. No official solution is currently available. Reportedly Apple is planning to release an update. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 17, 2013.

Apple Safari for Windows: Secunia reports a moderately critical vulnerability in Apple's Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe Flash plug-ins. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 11, 2012.

Apple Safari for Windows: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

D-Link DIR-300 / DIR-600: Secunia reports multiple moderately critical vulnerabilities in two of D-Link's wireless routers; DIR-300 and DIR-600. There are no patches available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 10, 2013.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched.  Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user's system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

Samsung / Dell Printers: Secunia reports a moderately critical security issue in Samsung's ML-2580 and ML-4050 Monochrome Laser Printers and Dell's 2145cn and 2335dn Multifunction Printers. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 2, 2012.

Samsung Galaxy S III: Secunia reports two highly critical vulnerabilities in the Galaxy S3 device. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 14, 2012.

Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.

VLC Media Player: As we reported in our Cyber Security News of the Week, December 16, 2012, Secunia reports a highly critical vulnerability in the VLC Media Player. No patch is available at this time.

VLC Media Player: Secunia reports a highly critical vulnerability in VLC's Media player, version 2.05 and prior. No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 3, 2013.  

ACD Systems: Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.

• ACD Systems Canvas: Secunia reports at least 13 highly critical unpatched vulnerabilities in ACD Systems Canvas version 14. See Weekend Vulnerability and Patch Report, August 5, 2012.
• ACDSee 14.x: Secunia reports a highly critical unpatched vulnerability in ACDSee. See Weekend Vulnerability and Patch Report, February 19, 2012.
• ACDSee Photo: Several highly critical unpatched vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. See Weekend Vulnerability and Patch Report, June 12, 2011. See also Weekend Vulnerability and Patch Report, September 18, 2011 where we alerted readers to a second vulnerability in FotoSlate.
• ACD Systems Canvas CorelDRAW: A highly critical unpatched vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system.. See Weekend Vulnerability and Patch Report, July 31, 2011.

If you are responsible for the security of your computer, Citadel's Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer's computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week's important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2013 Citadel Information Group. All rights reserved.

Tax Tips for Recently Married Taxpayers

If you got married during 2012, here are some post-marriage tips to help you avoid stress at tax time.

1. Notify the Social Security Administration − Report any name change to the Social Security Administration so that your name and SSN will match when filing your next tax return. Informing the SSA of a name change is quite simple. File a Form SS-5, Application for a Social Security Card at your local SSA office. The form is available on SSA's Web site, by calling 800-772-1213, or at local offices. Your income tax refund may be delayed if it is discovered your name and SSN don't match at the time your return is filed.
2. Notify the IRS - If you have a new address, you should notify the IRS by sending Form 8822, Change of Address.
3. Notify the U.S. Postal Service - You should also notify the U.S. Postal Service when you move so that any IRS or state tax agency correspondence can be forwarded.
4. Review Your Withholding and Estimated Tax Payments - If both you and your new spouse work, your combined income may place you in a higher tax bracket, and you may have an unpleasant surprise when we prepare your return for 2012. On the other hand, if only one works, filing jointly with your new spouse can provide a significant tax benefit, enabling you to reduce your withholding or estimated payments. The fat is in the fire for 2012, but it may be appropriate to review your withholding (W-4 status) and estimated tax payments, if any, for 2013 to make sure you are not going to be under-withheld and set yourself up to receive bad news.

If you have any questions, please give this office a call.

WEEKEND VULNERABILITY AND PATCH REPORT

February 17, 2013

The following software vulnerabilities and updates were announced by Citadel Information Group.  They strongly recommend that readers update their computers and take other action as indicated.  This is from an e-mail received from Stan Stahl, Ph.D. [www.citadel-information.com] and posted with his approval.

Important Security Updates

Adobe Flash Player / AIR: Adobe has released an update to fix at least 17 highly critical vulnerabilities in its Flash Player and AIR. Updates are available from Adobe's website.

Apple iOS: Apple has released version 6.1.1 to update its operating system for iPhones. Updates are supposed to be available through the device. However, on some devices, "Check for Updates" mistakenly shows 6.1 as current version. We have not found a way to force an update to 6.1.1.

Apple iTunes: Apple has released version 11.0.1 of iTunes. Updates are available through iTunes or Apple's website.

Microsoft Patch Tuesday: Microsoft released a dozen patches addressing at least 57 security vulnerabilities, many of them highly critical in Windows, Office, Internet Explorer, Exchange and .NET Framework. Updates are available via Windows Update or from Automatic Update.

Current Software Versions

Adobe Flash 11.6.602.168 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.6.602.167 [Windows 8: IE]

Adobe Flash 11.6.602.168 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.01

Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 18.0.2 [Windows]

Google Chrome 24.0.1312.57

Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]

Internet Explorer 10.0.9200.16484 [Windows 8: IE]

Java SE 7 Update 13 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser - such as Chrome, IE9, Safari, etc - with Java enabled to browse only the sites that require it.]

QuickTime 7.7.3 (1680.64)

Safari 5.1.7  [Windows, See warning below]

Safari 6.0.2 [Mac OS X]

Skype 6.1.0.129

Newly Announced Unpatched Vulnerabilities

Adobe Reader / Acrobat: Secunia reports two extremely critical vulnerabilities in both Adobe Reader and Acrobat.  The following versions are affected: Adobe Reader XI and Acrobat XI versions 11.0.01 and prior for Windows and Macintosh, Adobe Reader X and Acrobat X versions 10.1.5 and prior for Windows and Macintosh, Adobe Reader versions 9.5.3 and prior for Windows, Macintosh, and Linux and Adobe Acrobat versions 9.5.3 and prior for Windows and Macintosh. There are no patches available at this time.

Adobe Shockwave Player: Secunia reports at least two highly critical vulnerabilities. No patches are available at this time.

Apple iOS for iPhone: Secunia and The Verge both report a weakness in Apple's iOS for iPhone 3GS and later that would allow someone with physical access to bypass the lock screen. No official solution is currently available. Reportedly Apple is planning to release an update.

For Your IT Department

BlackBerry Enterprise Server: Secunia reports at least two highly critical vulnerabilities in Blackberry's Enterprise Server. The versions affected are BlackBerry Enterprise Server Express versions 5.0.4 and prior for Microsoft Exchange and IBM Lotus Domino, BlackBerry Enterprise Server versions 5.0.4 and prior for Microsoft Exchange, IBM Lotus Domino, and Novell Groupwise. Update to a fixed version or apply interim security update.

McAfee VirusScan: Secunia reports a vulnerability in McAfee's VirusScan Enterprise and Host Intrusion Prevention. Apply applicable updates.

Important Unpatched Vulnerabilities

Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

AOL downloadUpdater2 Firefox Plugin: Secunia reports a highly critical vulnerability in version 1.3.0.0. Other versions may also be affected. No solution is currently available. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 12, 2012.

Apple Safari for Windows: Secunia reports a moderately critical vulnerability in Apple's Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe Flash plug-ins. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 11, 2012.

Apple Safari for Windows: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

D-Link DIR-300 / DIR-600: Secunia reports multiple moderately critical vulnerabilities in two of D-Link's wireless routers; DIR-300 and DIR-600. There are no patches available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 10, 2013.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched.  Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user's system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

Samsung / Dell Printers: Secunia reports a moderately critical security issue in Samsung's ML-2580 and ML-4050 Monochrome Laser Printers and Dell's 2145cn and 2335dn Multifunction Printers. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 2, 2012.

Samsung Galaxy S III: Secunia reports two highly critical vulnerabilities in the Galaxy S3 device. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 14, 2012.

Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.

VLC Media Player: As we reported in our Cyber Security News of the Week, December 16, 2012, Secunia reports a highly critical vulnerability in the VLC Media Player. No patch is available at this time. 

VLC Media Player: Secunia reports a highly critical vulnerability in VLC's Media player, version 2.05 and prior. No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 3, 2013.  

ACD Systems: Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.

• ACD Systems Canvas: Secunia reports at least 13 highly critical unpatched vulnerabilities in ACD Systems Canvas version 14. See Weekend Vulnerability and Patch Report, August 5, 2012.
• ACDSee 14.x: Secunia reports a highly critical unpatched vulnerability in ACDSee. See Weekend Vulnerability and Patch Report, February 19, 2012.
• ACDSee Photo: Several highly critical unpatched vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. See Weekend Vulnerability and Patch Report, June 12, 2011. See also Weekend Vulnerability and Patch Report, September 18, 2011 where we alerted readers to a second vulnerability in FotoSlate.
• ACD Systems Canvas CorelDRAW: A highly critical unpatched vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system.. See Weekend Vulnerability and Patch Report, July 31, 2011.

If you are responsible for the security of your computer, Citadel's Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer's computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week's important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2013 Citadel Information Group. All rights reserved.

WEEKEND VULNERABILITY AND PATCH REPORT

February 10, 2013

The following software vulnerabilities and updates were announced by Citadel Information Group.  They strongly recommend that readers update their computers and take other action as indicated.  This is from an e-mail received from Stan Stahl, Ph.D. [www.citadel-information.com] and posted with his approval.

Important Security Updates

Adobe Flash Player: Adobe has released an update to fix 2 extremely critical vulnerabilities in its Flash Player. Updates are available from Adobe's website.

Microsoft Flash Player: Microsoft has released an update to fix 2 highly critical vulnerabilities in a version of Adobe Flash Player within Internet Explorer 10.

Mozilla Firefox: Mozilla has released an update to its Firefox browser. Update from within Firefox.

Current Software Versions

Adobe Flash 11.5.502.149 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.3.379.14 [Windows 8: IE]

Adobe Flash 11.5.502.149 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.01

Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 18.0.2 [Windows]

Google Chrome 24.0.1312.56

Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]

Internet Explorer 10.0.9200.16466 [Windows 8: IE]

Java SE 7 Update 13 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser - such as Chrome, IE9, Safari, etc - with Java enabled to browse only the sites that require it.]

QuickTime 7.7.3 (1680.64)

Safari 5.1.7  [Windows, See warning below]

Safari 6.0.2 [Mac OS X]

Skype 6.1.0.129

Newly Announced Unpatched Vulnerabilities

D-Link DIR-300 / DIR-600: Secunia reports multiple moderately critical vulnerabilities in two of D-Link's wireless routers; DIR-300 and DIR-600. There are no patches available at this time.

For Your IT Department

Apple OS X Server: Secunia reports at least 2 highly critical vulnerabilities in Apple's OS X Server. Update to version 2.2.1.

Cisco Multiple Products: Cisco has released updates for multiple products, including its Nexus 7000 Series switches, ATA Series devices, IOS Catalyst Switches, and others. Apply appropriate updates.

HP LeftHand Virtual SAN: Secunia reports multiple moderately critical vulnerabilities in HP's LeftHand Virtual SAN Appliance Software. Upgrade to version 10.0.

VMWare: Secunia reports vulnerabilities in several of VMWare's products, including Workstation, Fusion, View, ESXi, ESX Server and others. Apply appropriate patches.

Important Unpatched Vulnerabilities

Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

AOL downloadUpdater2 Firefox Plugin: Secunia reports a highly critical vulnerability in version 1.3.0.0. Other versions may also be affected. No solution is currently available. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 12, 2012.

Apple Safari for Windows: Secunia reports a moderately critical vulnerability in Apple's Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe Flash plug-ins. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 11, 2012.

Apple Safari for Windows: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched.  Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user's system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

Samsung / Dell Printers: Secunia reports a moderately critical security issue in Samsung's ML-2580 and ML-4050 Monochrome Laser Printers and Dell's 2145cn and 2335dn Multifunction Printers. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 2, 2012.

Samsung Galaxy S III: Secunia reports two highly critical vulnerabilities in the Galaxy S3 device. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 14, 2012.

Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.

VLC Media Player: As we reported in our Cyber Security News of the Week, December 16, 2012, Secunia reports a highly critical vulnerability in the VLC Media Player. No patch is available at this time.

VLC Media Player: Secunia reports a highly critical vulnerability in VLC's Media player, version 2.05 and prior. No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 3, 2013.  

ACD Systems: Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.

• ACD Systems Canvas: Secunia reports at least 13 highly critical unpatched vulnerabilities in ACD Systems Canvas version 14. See Weekend Vulnerability and Patch Report, August 5, 2012.
• ACDSee 14.x: Secunia reports a highly critical unpatched vulnerability in ACDSee. See Weekend Vulnerability and Patch Report, February 19, 2012.
• ACDSee Photo: Several highly critical unpatched vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. See Weekend Vulnerability and Patch Report, June 12, 2011. See also Weekend Vulnerability and Patch Report, September 18, 2011 where we alerted readers to a second vulnerability in FotoSlate.
• ACD Systems Canvas CorelDRAW: A highly critical unpatched vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system.. See Weekend Vulnerability and Patch Report, July 31, 2011.

If you are responsible for the security of your computer, Citadel's Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer's computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week's important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities

Copyright © 2013 Citadel Information Group. All rights reserved.