WEEKEND
VULNERABILITY AND PATCH REPORT
March 3, 2013
The following software vulnerabilities and
updates were announced by Citadel Information Group. They strongly recommend that
readers update their computers and take other action as indicated. This is from an
e-mail received from Stan Stahl, Ph.D. [www.citadel-information.com] and posted
with his approval.
Important Security Updates
Adobe Flash: Adobe has
released version 11.6.602.171 for Flash to fix extremely critical
vulnerabilities. Updates are available from within the program or Adobe's website.
Mozilla Firefox: Mozilla
has released version 19.0.1 of Firefox. Updates are available through Firefox.
Current Software Versions
Adobe Flash 11.6.602.171
[Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]
Adobe Flash 11.6.602.171
[Windows 8: IE]
Adobe Flash 11.6.602.171
[Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.01
Dropbox 1.6.11 [Citadel warns
against relying on Dropbox security. We recommend files containing sensitive
information be independently encrypted with a program like Axcrypt; encryption
keys be at least 15 characters long; and the Dropbox password be at least 15
characters long and different from other passwords.]
Firefox 19.0 [Windows]
Google Chrome 25.0.1364.97
Internet Explorer 9.0.8112.16421
[Windows 7: IE], [See warning below]
Internet Explorer 10.0.9200.16484
[Windows 8: IE]
Java SE 7 Update 15 [Citadel
recommends removing or disabling Java from your browser. Java is a major source
of cyber criminal exploits. It is not needed for most internet browsing. If you
have particular web sites that requires Java, Citadel recommends using a
two-browser approach to minimize risk. If you normally browse the Web with
Firefox, for example, disable the Java plugin in Firefox and use an alternative
browser - such as Chrome, IE9, Safari, etc - with Java enabled to browse only
the sites that require it.]
QuickTime 7.7.3 (1680.64)
Safari 5.1.7 [Windows, See
warning below]
Safari 6.0.2 [Mac OS X]
Skype 6.2.0.106
Newly Announced Unpatched Vulnerabilities
Oracle Java: Secunia
reports an extremely critical vulnerability in Oracle's Java. The
vulnerability is reported in version 7 update 15 and version 6 update 41. Other
versions may also be affected. See Citadel's recommendation above.
For Your IT Department
McAfee VirusScan
Enterprise: McAfee has released updates to its VirusScan. Apply VSE88HF778101
or Patch 3.
Important Unpatched Vulnerabilities
Adobe Shockwave Player: Secunia
reports at least two highly critical vulnerabilities in Adobe's
Shockwave Player. No patches are available at this time. We first alerted
readers to this vulnerability in Weekend Vulnerability and Patch Report, February 17,
2013.
Android Browser: Secunia
reports a less critical vulnerability in the Android
browser that can be exploited to trick a user into believing he is connected to
a trusted site by including the trusted site in an iframe. The
vulnerability is confirmed in Browser version 2.3.3 included in Android version
2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions
may also be affected. Users are cautioned to not rely on displayed certificate
information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25,
2011.
AOL downloadUpdater2
Firefox Plugin: Secunia reports a highly critical vulnerability in version
1.3.0.0. Other versions may also be affected. No solution is currently
available. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 12,
2012.
Apple iOS for iPhone: Secunia
and The Verge both report a weakness in Apple's iOS for iPhone 3GS and
later that would allow someone with physical access to bypass the lock screen.
No official solution is currently available. Reportedly Apple is planning to
release an update. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 17,
2013.
Apple Safari for Windows: Secunia
reports a moderately critical vulnerability in Apple's
Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe
Flash plug-ins. Other versions may also be affected. We first alerted readers
to this vulnerability in Weekend Vulnerability and Patch Report, March 11,
2012.
Apple Safari for Windows: Secunia
reports a non-critical unpatched vulnerability in Safari
5.1.2. Other versions may also be affected. We first alerted readers to this
vulnerability in Weekend Vulnerability and Patch Report, December 25,
2011.
D-Link DIR-300 /
DIR-600: Secunia reports multiple moderately critical vulnerabilities in
two of D-Link's wireless routers; DIR-300 and DIR-600. There are no patches
available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 10,
2013.
HTC Mobile Devices: The security vulnerability in the default Twitter
application (Peep) in HTC products remain unpatched. Readers should refrain
from using the default Twitter application (Peep). We first alerted readers to
this vulnerability in Weekend Vulnerability and Patch Report, February 11,
2011.
HTC Touch2: The highly critical 0-day vulnerability in the HTC
Touch2 VideoPlayer remains unpatched. Users are advised to not open files from
untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18,
2011.
Microsoft Windows XP: A less-critical security vulnerability has been
found in Windows XP which can be exploited by malicious, local users to
disclose potentially sensitive information or cause a DoS (Denial of Service).
No patch is available at this time. We first alerted readers to this
vulnerability in Weekend Vulnerability and Patch Report, August 7,
2011.
Microsoft Word: A highly critical vulnerability has been found in
Microsoft Word XP and 2002. No patch is available at this time. Readers should
refrain from opening untrusted files in these earlier versions of Word. We
first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19,
2011.
Microsoft Reader: The highly critical vulnerability in Microsoft
Reader, versions 2.x, remains unpatched. Readers should refrain from
opening untrusted files in Reader. We first alerted readers to this
vulnerability in Weekend Vulnerability and Patch Report, April 15,
2011.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a
popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain
from opening untrusted files in PDF-Pro. We first alerted readers to this
vulnerability in Weekend Vulnerability and Patch Report, March 4,
2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in
Quick View Plus which can be exploited by malicious people to compromise a
user's system. Users should not view untrusted CDR files in Quick View Plus. We
first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31,
2011.
Samsung / Dell
Printers: Secunia reports a moderately critical security issue in Samsung's
ML-2580 and ML-4050 Monochrome Laser Printers and Dell's 2145cn and 2335dn
Multifunction Printers. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 2,
2012.
Samsung Galaxy S III: Secunia
reports two highly critical vulnerabilities in the Galaxy S3
device. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 14,
2012.
Symantec pcAnywhere: As we
reported in our Cyber Security News of the Week, January 29, 2012,
Symantec has confirmed that the hacker group Anonymous stole source code from
the 2006 versions of several Norton security products and the pcAnywhere remote
access tool. Symantec has advised users to disable pcAnywhere because of the
theft of the pcAnywhere source code.
VLC Media Player: As we
reported in our Cyber Security News of the Week, December 16, 2012,
Secunia reports a highly critical vulnerability in the
VLC Media Player. No patch is available at this time.
VLC Media Player: Secunia
reports a highly critical vulnerability in VLC's Media
player, version 2.05 and prior. No patch is available at this time. We first
alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 3,
2013.
ACD Systems: Citadel recommends users remove all
ACD Systems programs from their computers. ACD Systems has failed to patch significant
critical vulnerabilities in their programs dating back more than a year.
Consequently Citadel recommends users remove all ACD Systems programs from
their computers until the company fixes these vulnerabilities and pays proper
attention to the implications of their security vulnerabilities in opening
doors to cyber criminals . The community cannot tolerate a head-in-the-sand
attitude, whether by developers or the people who purchase and use their
programs. The consequences of willful ignorance are too grave.
- ACD Systems
Canvas: Secunia
reports at least 13 highly critical unpatched vulnerabilities
in ACD Systems Canvas version 14. See Weekend Vulnerability and Patch Report, August
5, 2012.
- ACDSee 14.x: Secunia
reports a highly critical unpatched vulnerability in
ACDSee. See Weekend Vulnerability and Patch Report,
February 19, 2012.
- ACDSee Photo: Several highly
critical unpatched vulnerabilities have been identified in various ACDSee
photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. See Weekend Vulnerability and Patch Report, June
12, 2011. See also Weekend Vulnerability and Patch Report,
September 18, 2011 where we alerted readers to a second vulnerability
in FotoSlate.
- ACD Systems Canvas CorelDRAW: A highly critical unpatched vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system.. See Weekend Vulnerability and Patch Report, July 31, 2011.
If you are responsible for the security of your computer, Citadel's Weekend Vulnerability and Patch Report
is for you. We strongly urge you to take action to keep your workstation
patched and updated.
If someone else is responsible for the security of your computer,
forward our Weekend Vulnerability and Patch Report to them and follow up to
make sure your computer has been patched and updated.
Vulnerability
management is a key element of cyber security management.
Cyber criminals take over user computers by writing computer programs that
"exploit" vulnerabilities in operating systems (Windows, Apple OS,
etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When
software companies find a vulnerability, they usually issue an update patch to
fix the code running in their customer's computers.
Citadel publishes our Weekend
Vulnerability and Patch Report to alert readers to some of the
week's important updates and vulnerabilities. Our focus is on software
typically found in the small or home office (SOHO) or that users are likely to
have on their home computer. The report is not intended to be a thorough
listing of updates and vulnerabilities.
Copyright © 2013 Citadel
Information Group. All rights reserved.
![[Most Recent Quotes from www.kitco.com]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uMnvlLPWFELT4aEXOoehvCoPRC5K83uEUYmPSJWtNKr4GgBrAcmFth97Cxx1eHq7AYZvLucu8z2mnxUWfuCYIy_W4-2T-OimA9UhoE3fDGATLnlaDelH3DM1EoQrBp98dY=s0-d)
No comments:
Post a Comment