Weekend Vulnerability and Patch Report
The following software
vulnerabilities and updates were announced last week from a e-mail I received
from Stan Stahl, Ph.D.[ www.citadel-information.com]. Citadel Information
Group strongly recommends that readers update their computers and take
other action as indicated.
Apple TV: Apple has released a patch to fix at least 21 highly critical vulnerabilities in its TV product.See Apple website for details on how to update to Apple TV Software version 5.1.
Foxit Reader: Foxit
has released a patch to its Reader to fix a highly critical vulnerability.
Update to version 5.4.3 from Foxit's website.
Google Chrome: Google has released version 22.0.1229.79. Download the current version from Google's support website.
Samsung Galaxy S3: As
Citadel tweeted last Tuesday, September 25, 2012, Samsung has released a patch
to fix the highly critical factory reset vulnerability in its Galaxy S3
device. Samsung advises checking for software updates through the
'Settings: About device: Software update' menu and installing the current patch
with the available over-the-air update.
Current Software Versions
Adobe Flash 11.4.402.278
[Windows: Internet Explorer, Firefox, Mozilla, Netscape, Opera, Safari]
Adobe Flash 11.4.402.265
[Mac OS X: Firefox, Opera, Safari]Adobe Reader 10.1.4 [Warning; see below]
Apple QuickTime 7.7.2
Apple Safari 5.1.7 [Warning; see below]
Google Chrome 22.0.1229.79
Internet Explorer 9.0.8112.16421
Java SE 7 Update 07 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser - such as Chrome, IE9, Safari, etc - with Java enabled to browse only the sites that requires it.]
Mozilla Firefox 15.0.1
Java: As Citadel tweeted last Tuesday, September 25, 2012, Seclists.org has discovered additional unpatched critical security flaws in all versions of Java. See above.
For Your
IT Department
Adobe: As
Citadel tweeted last Friday, September 28, 2012, Adobe has issued a special
alert to address an issue with a current Adobe code signing certificate. The
certificate will be revoked on October 4, 2012 for all software code signed
after July 10, 2012. Adobe is issuing a new digital certificate for all
affected products. Adobe published a help page that lists the affected products and
contains links to updated versions signed with a new certificate.
Apple Remote Desktop: Apple
has released updates to both of its products, Remote Desktop Admin and Remote Desktop Client. Update as necessary.
Cisco: Cisco has
released many patches and updates to fix various vulnerabilities within its
products. Check your devices and update as necessary.
Oracle: Oracle
has released many patches and updates to fix various vulnerabilities within its
products. Check your devices and update as necessary.
Oracle Solaris Mozilla
Firefox: Oracle has released an update to Mozilla's Firefox browser thats
included in the Solaris operating system to fix 11 highly critical vulnerabilities. Apply all
necessary patches.
SafeNet: Secunia
reports an unpatched vulnerability in SafeNet's Sentinel Protection
product. No official solution is currently available.
SonicWALL Anti-Spam &
Email Security: SonicWALL has released an update to fix vulnerabilities in its Anti-Spam & Email
Security products. Update to version 7.3.6.
Important
Unpatched Vulnerabilities
Adobe Reader / Acrobat
Multiple Vulnerabilities: Secunia reports highly critical vulnerabilities in Reader X and
Acrobat X versions 10.1.4 and prior for Windows and Macintosh; Reader and
Acrobat versions 9.5.2 and prior for Windows and Macintosh; and Reader for
Linux versions 9.4.7 and prior. Secunia reports several additional highly critical vulnerabilities in versions 9
and X of Reader and Acrobat. We first alerted readers to this vulnerability
in Weekend Vulnerability and Patch Report, August 19,
2012.
Android Browser: Secunia
reports a less critical vulnerability in the Android
browser that can be exploited to trick a user into believing he is connected to
a trusted site by including the trusted site in an iframe. The
vulnerability is confirmed in Browser version 2.3.3 included in Android version
2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions
may also be affected. Users are cautioned to not rely on displayed certificate
information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25,
2011.
AOL downloadUpdater2
Firefox Plugin: Secunia reports a highly critical vulnerability in version
1.3.0.0. Other versions may also be affected. No solution is currently
available. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 12,
2012.
Apple Safari for Windows: Secunia
reports a moderately critical vulnerability in Apple's
Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe
Flash plug-ins. Other versions may also be affected. We first alerted readers
to this vulnerability in Weekend Vulnerability and Patch Report, March 11,
2012.
Apple Safari for Windows: Secunia
reports a non-critical unpatched vulnerability in Safari
5.1.2. Other versions may also be affected. We first alerted readers to this
vulnerability in Weekend Vulnerability and Patch Report, December 25,
2011.
CA ARCserve Backup: Secunia
reports a less critical vulnerability in CA's ARCserver
Backup in versions 12.0, 12.5, 15, and 16. CA provides a partial fix solution
and advises updating to a fixed version. We first alerted readers to this
vulnerability in Weekend Vulnerability and Patch Report, March 25,
2012.
HTC Mobile Devices: The security vulnerability in the default Twitter
application (Peep) in HTC products remain unpatched. Readers should refrain
from using the default Twitter application (Peep). We first alerted readers to
this vulnerability in Weekend Vulnerability and Patch Report, February 11,
2011.
HTC Touch2: The highly critical 0-day vulnerability in the HTC
Touch2 VideoPlayer remains unpatched. Users are advised to not open files from
untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18,
2011.
McAfee SaaS: The highly critical vulnerability in McAfee SaaS
Endpoint Protection remains unpatched. We first alerted readers to this
vulnerability in Weekend Vulnerability and Patch Report, January 22,
2012.
Microsoft Windows XP: A less-critical security vulnerability has been
found in Windows XP which can be exploited by malicious, local users to
disclose potentially sensitive information or cause a DoS (Denial of Service).
No patch is available at this time. We first alerted readers to this
vulnerability in Weekend Vulnerability and Patch Report, August 7,
2011.
Microsoft Word: A highly critical vulnerability has been found in
Microsoft Word XP and 2002. No patch is available at this time. Readers should
refrain from opening untrusted files in these earlier versions of Word. We
first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19,
2011.
Microsoft Reader: The highly critical vulnerability in Microsoft
Reader, versions 2.x, remains unpatched. Readers should refrain from
opening untrusted files in Reader. We first alerted readers to this
vulnerability in Weekend Vulnerability and Patch Report, April 15,
2011.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a
popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain
from opening untrusted files in PDF-Pro. We first alerted readers to this
vulnerability in Weekend Vulnerability and Patch Report, March 4,
2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in
Quick View Plus which can be exploited by malicious people to compromise a
user's system. Users should not view untrusted CDR files in Quick View Plus. We
first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31,
2011.
Symantec pcAnywhere:As we
reported in our Cyber Security News of the Week, January 29, 2012,
Symantec has confirmed that the hacker group Anonymous stole source code from
the 2006 versions of several Norton security products and the pcAnywhere remote
access tool. Symantec has advised users to disable pcAnywhere because of the
theft of the pcAnywhere source code.
ACD Systems: Citadel recommends users remove all
ACD Systems programs from their computers. ACD Systems has failed to patch
significant critical vulnerabilities in their programs dating back more than a
year. Consequently Citadel recommends users remove all ACD Systems programs
from their computers until the company fixes these vulnerabilities and pays
proper attention to the implications of their security vulnerabilities in
opening doors to cyber criminals . The community cannot tolerate a
head-in-the-sand attitude, whether by developers or the people who purchase and
use their programs. The consequences of willful ignorance are too grave.
- ACD Systems
Canvas: Secunia
reports at least 13 highly critical unpatched vulnerabilities
in ACD Systems Canvas version 14. See Weekend Vulnerability and Patch Report, August
5, 2012.
- ACDSee 14.x: Secunia
reports a highly critical unpatched vulnerability in
ACDSee. See Weekend Vulnerability and Patch Report,
February 19, 2012.
- ACDSee Photo: Several highly
critical unpatched vulnerabilities have been identified in various ACDSee
photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. See Weekend Vulnerability and Patch Report, June
12, 2011. See also Weekend Vulnerability and Patch Report,
September 18, 2011 where we alerted readers to a second vulnerability
in FotoSlate.
- ACD Systems
Canvas CorelDRAW: A highly critical unpatched vulnerability has
been found in ACD Systems Canvas which can be exploited by malicious
people to compromise a user's system.. See Weekend Vulnerability and Patch Report, July
31, 2011.
If you are responsible for the
security of your computer, our weekly report is for you. We strongly urge you
to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key
element of cyber security management.
Cyber criminals take over user computers by writing computer programs that
"exploit" vulnerabilities in operating systems (Windows, Apple OS,
etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When
software companies find a vulnerability, they usually issue an update patch to
fix the code running in their customer's computers.
Citadel publishes our Weekend Vulnerability and Patch Report
to alert readers to some of the week's important updates and vulnerabilities.
Our focus is on software typically found in the small or home office (SOHO) or
that users are likely to have on their home computer. The report is not
intended to be a thorough listing of updates and vulnerabilities.
No comments:
Post a Comment