John Ellis CPA at the John Ellis Company

Sunday, November 18, 2012

WEEKEND VULNERABILITY AND PATCH REPORT

November 18, 2012

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated. This is from an e-mail received from Stan Stahl, Ph.D. [www.citadel-information.com]

Important Security Updates

Foxit Reader: Foxit Software has released version 5.4.4.1023 as an update to its Reader. Download the latest version from Foxit's website.

Microsoft Patch Tuesday: Microsoft's Patch Tuesday release addresses 19 updates to fix a variety of security issues within Windows, Internet Explorer, Office and other Microsoft products. Many of the patched vulnerabilities are rated extremely or highly critical.

PDF Creator: PDFForge has released version 1.5.1 as an update to it's PDFCreator. Download the latest version from www.pdfforge.org.

Skype: Skype has released version 6.0.0.126 as an update to it's Skype application. Download the latest version from www.skype.com.

Current Software Versions

Adobe Flash 11.5.502.110 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.3.376.12 [Windows 8: IE]

Adobe Flash 11.5.502.110 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0 [Warning; see below]

Apple QuickTime 7.7.3 (1680.64)

Apple Safari 5.1.7 [Windows, See warning below]

Apple Safari 6.0.2 [Mac OS X]

Firefox 16.0.2 [Windows]

Google Chrome 23.0.1271.64

Internet Explorer 9.0.8112.16421

Java SE 7 Update 09 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser - such as Chrome, IE9, Safari, etc - with Java enabled to browse only the sites that requires it.]

For Your IT Department

IBM Java: Secunia reports at least 4 highly critical vulnerabilities in IBM's Java. Update to version 7 SR3, 6.0.1 SR4, 6 SR12, 5 SR15, or 1.4.2 SR13-FP14.

VMware ESX Server: VMWare has released a partial fix to address at least 10 moderately critical vulnerabilities reported in versions 4.0 and 4.1. Apply patches if available.

Important Unpatched Vulnerabilities

Adobe Reader / Acrobat Multiple Vulnerabilities: Secunia reports highly critical vulnerabilities in Reader X and Acrobat X versions 10.1.4 and prior for Windows and Macintosh; Reader and Acrobat versions 9.5.2 and prior for Windows and Macintosh; and Reader for Linux versions 9.4.7 and prior. Secunia reports several additional highly critical vulnerabilities in versions 9 and X of Reader and Acrobat. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 19, 2012.

Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

AOL downloadUpdater2 Firefox Plugin: Secunia reports a highly critical vulnerability in version 1.3.0.0. Other versions may also be affected. No solution is currently available. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 12, 2012.

Apple Safari for Windows: Secunia reports a moderately critical vulnerability in Apple's Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe Flash plug-ins. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 11, 2012.

Apple Safari for Windows: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

CA ARCserve Backup: Secunia reports a less critical vulnerability in CA's ARCserver Backup in versions 12.0, 12.5, 15, and 16. CA provides a partial fix solution and advises updating to a fixed version. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 25, 2012.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

McAfee SaaS: The highly critical vulnerability in McAfee SaaS Endpoint Protection remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 22, 2012.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user's system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

Samsung Galaxy S III: Secunia reports two highly critical vulnerabilities in the Galaxy S3 device. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 14, 2012.

Symantec pcAnywhere:As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.

ACD Systems: Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.

ACD Systems Canvas: Secunia reports at least 13 highly critical unpatched vulnerabilities in ACD Systems Canvas version 14. See Weekend Vulnerability and Patch Report, August 5, 2012.
ACDSee 14.x: Secunia reports a highly critical unpatched vulnerability in ACDSee. See Weekend Vulnerability and Patch Report, February 19, 2012.
ACDSee Photo: Several highly critical unpatched vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. See Weekend Vulnerability and Patch Report, June 12, 2011. See also Weekend Vulnerability and Patch Report, September 18, 2011 where we alerted readers to a second vulnerability in FotoSlate.
ACD Systems Canvas CorelDRAW: A highly critical unpatched vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system.. See Weekend Vulnerability and Patch Report, July 31, 2011.

If you are responsible for the security of your computer, our weekly report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer's computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week's important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Thursday, November 15, 2012

Will Capital Gains Be Changed?

Currently, capital gains rates for the sale of assets held over one year are taxed at 15% (0% to the extent a taxpayer is in the 15% or lower regular tax bracket), compared with a top tax of 35% for ordinary income. Without Congressional action, these rates will increase to 20% (18% for assets held over 5 years) in 2013.

Although there has been some discussion related to extending the 15% rates for another year (2013), to date, Congress has not provided any indication one way or the other. Even without providing guidance for 2013, the House Ways and Means Committee and the Senate Finance Committee are already holding joint meetings to discuss capital gain reform.

Capital gains and related issues make up approximately half of the tax code, in excess of 20,000 pages. In addition, those with the most capital gains are generally the wealthier taxpayers, and lower capital gains rates contribute to the disparity in tax rates between the wealthy and the average working family that we hear so much about in the media. As an example, Billionaire Warren Buffet announced that his tax rate was 14%, which is lower than the rate paid by his secretary.

Some contend that capital gains should be taxed as ordinary income and should even be taxed as the income is earned rather than when the gain is realized.

Still others maintain that doing away with special long-term capital gains rates would discourage investment and would further harm the economy.

It is difficult to predict what lies ahead. But you can count on this firm to stay on top of this issue and to keep you abreast of the ever-changing tax landscape.

Monday, November 12, 2012

WEEKEND VULNERABILITY AND PATCH REPORT

November 11, 2012

IMPORTANT SECURITY UPDATES

Adobe Flash Player and AIR: Adobe has released a critical security update for its Flash Player and Adobe AIR software that patches at least seven dangerous vulnerabilities in these products. Updates are available for Windows, Mac, Linux and Android systems. The appropriate version for your system can be downloaded from Adobe's Flash Player Distribution page. Most users can find out what version of Flash they have installed by visiting this link.

Apple QuickTime 7.7.3 (1680.64): Apple has updated QuickTime to patch at least 9 vulnerabilities, many of them highly critical. Updates are available through the QuickTime program.

MacBook Air and MacBook Pro Update 2.0: Apple has updated these programs. Updates are available from Apple's Download Site.

Firefox 16.0.2: Firefox has updated Firefox to 16.0.2. The update is available from within the program.

Google Chrome 23.0.1271.64: Google has released Google Chrome 23.0.1271.64 to address over 20 vulnerabilities, many of them highly critical. Updates are available through the program.

Opera 12.10: Opera has released version 12.10 to patch at least five security vulnerabilities, many of them highly critical. Updates are available through the program.

Microsoft Windows Flash Player: Microsoft has released an update for Windows 8 that patches a critical vulnerability in the Flash Player embedded within Internet Explorer 10.

CURRENT SOFTWARE VERSIONS

Adobe Flash 11.5.502.110 [Windows, Macintosh]

Adobe Flash 11.2.202.251 [Linux]

Adobe Reader 11.0 [Warning; see below]

Apple QuickTime 7.7.3 [1680.64]

Apple Safari 5.1.7 [Windows, See warning below]

Apple Safari 6.0.2 [Mac OS X]

Firefox 16.0.2 [Windows]

Google Chrome 23.0.1271.64

Internet Explorer 9.0.8112.16421

NEWLY ANNOUNCED UNPATCHED VULNERABILITIES

None.

FOR YOUR IT DEPARTMENT

Cisco Secure Access Control Systems (ACS): US-CERT reports that Cisco Secure Access Control Systems (ACS) contains a vulnerability that could allow an unauthenticated, remote attacker to bypass the TACACS+ based authentication service offered by the product. US-CERT encourages users and administrators to review the Cisco Security Advisory 20121107-ACS and follow best practice security policies to determine if their organization is affected and the appropriate response.

Cisco IronPort Web / Email Security Appliance Sophos Anti-Virus Multiple Vulnerabilities: Secunia reports unpatched highly critical vulnerability in this Cisco product.

McAfee Email and Web Security Appliance: Secunia reports a vulnerability in McAfee Email and Web Security Appliance 5.x. No patch is available at this time.

UNPATCHED VULNERABILITIES

ACD Systems Canvas: Secunia reports at least 13 highly critical unpatched vulnerabilities in ACD Systems Canvas version 14. See Weekend Vulnerability and Patch Report, August 5, 2012.
ACDSee 14.x: Secunia reports a highly critical unpatched vulnerability in ACDSee. See Weekend Vulnerability and Patch Report, February 19, 2012.
ACDSee Photo: Several highly critical unpatched vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. See Weekend Vulnerability and Patch Report, June 12, 2011. See also Weekend Vulnerability and Patch Report, September 18, 2011 where we alerted readers to a second vulnerability in FotoSlate.
ACD Systems Canvas CorelDRAW: A highly critical unpatched vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system.. See Weekend Vulnerability and Patch Report, July 31, 2011.

If you are responsible for the security of your computer, our weekly report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Friday, November 9, 2012

CASUALTY LOSSES EFFECTS ON TAXES

The following is a brief overview of casualty losses and how they might impact your tax return. The information provided is by no means complete; contact this office for further details.

Casualty Loss Definition - A casualty refers to the damage, destruction, or loss of property resulting from an identifiable event that is sudden, unexpected, or unusual.

· A sudden event is one that is swift, not gradual or progressive.

· An unexpected event is one that is ordinarily unanticipated and unintended.

· An unusual event is one that is not a day-to-day occurrence and that is not typical of the activity in which you were engaged.

Disaster Losses - Disaster losses are casualty losses that occur in a geographical area that has been declared a disaster region by the President of the United States. Generally, casualty losses must be taken in the year in which they occur. However, if the casualty occurs in a designated disaster region, the losses can be taken either in the year of the loss or in the year prior to the loss. The decision as to when to take the loss depends upon a number of factors and should be carefully analyzed in order to determine which year is most beneficial for the taxpayer. Factors to consider include:

· The tax brackets for each year - From purely a tax standpoint, each year should be carefully examined in order to determine which will provide the greatest overall tax benefit without wasting other tax benefits.

· The need for immediate cash - The primary purpose of the special rules allowing the casualty loss to be claimed on the prior year’s return is to provide taxpayers access to a tax refund without needing to wait - often many months -to file their return for the year of the loss.

· Self-Employment tax - Self-employed taxpayers will also need to consider whether to take a business casualty loss that affects inventory in the current or prior year since the loss can offset the self-employment tax as well as income taxes.

· Whether the loss will be used up - If the casualty loss is not fully used up in the year in which it is first deducted, it can create a net operating loss (NOL). An NOL can be taken back to prior years or carried forward to future years and used as a deduction on carryback or carry-forward returns. If such an NOL is considered, care should be taken to analyze the benefit from the potential loss carryback versus carrying the loss forward.

Net Operating Loss - Generally, taxpayers may carry their net operating loss back 2 years and forward 20 years until it is used up. NOLs resulting from casualties may, by election, be carried back 3 years.

Determining the Loss - Generally, the deductible loss is the lesser of the cost or fair market value of each item lost in the casualty. Once the loss is determined for each individual item, those amounts are added together to determine the total loss for each separate casualty event.

Business or Personal Casualty - Casualty losses are categorized as either business or personal casualty losses. Business losses are fully deductible without limitations, whereas personal casualty losses are first reduced by $100 for each event, after which the total of all of the events for the year is reduced by 10% of your annual income (AGI). In addition, for personal casualty losses, you must itemize your deductions in order to take advantage of the loss.

Insurance Reimbursement - Your casualty loss must be reduced by the amount of any insurance reimbursement. Generally, if you are insured for your loss and the insurance company offers you an amount that the insurance company deems to be the FMV of the item or items lost in the casualty, you will generally not have a casualty loss unless the combination of insurance loss limits and deductibles exceeds the personal loss limitations.

Filing Relief - The IRS will generally provide filing relief for affected individuals and businesses within a Presidentially declared disaster zone, including extensions for filing tax returns, entity returns, information returns, and making deposits. The duration of these extensions will vary depending on the facts and circumstances of the disaster.

For example, in the aftermath of Hurricane Sandy, the IRS extended most filing and payment deadlines that occurred in late October until February 1, 2013. The IRS will abate any interest, late-payment or late-filing penalty that would otherwise apply. The IRS automatically provides this relief to any taxpayer located in the disaster area. Taxpayers need not contact the IRS to receive this relief.

All workers assisting with relief activities in the covered disaster areas who are affiliated with a recognized government or philanthropic organization are generally also eligible for relief. Watch for IRS announcements related to each event.

If you have incurred a casualty or disaster loss, please contact this office so that we may provide you with guidance related to claiming and documenting your loss.

Monday, November 5, 2012

CONGRESS LEAVES US HANGING AGAIN ON THE AMT

Here it is, almost the end of the year, and as they have done for several years, Congress has not indicated if they will extend the higher AMT exemption amounts or allow them to revert to lower amounts that were in effect before exemptions were increased to shield the middle class from the punitive tax. A recent Congressional report indicates that, if Congress does not extend the AMT break, one in five taxpayers will be impacted by the AMT in 2012.

Originally conceived to combat taxpayers in the higher-income brackets who utilized legal tax shelters and tax preferences to avoid paying income tax, the AMT can be tricky and hit you when least expected. The tax was supposed to inflict a “minimum” tax on those who were able to avoid the regular tax. However, years of inflation have pushed many middle-income taxpayers into the reach of the AMT. Although there is a long list of items that can trigger the AMT, for most individuals, the triggers include the following or a combination of the items listed below:

· Preference income from exercising stock options from an employer's qualified plan, sometimes referred to as incentive stock options (ISOs);

· Having large itemized tax deductions;

· Having large miscellaneous itemized deductions;

· Large itemized deductions for state income or sales tax, real property tax and personal property tax;

· Large medical itemized tax deductions;

· Home equity debt interest deduction; and

· Interest income from private activity bonds.

Because of its unintended impact on the middle class, Congress has been promising AMT reform. In the meantime, annually increasing the amount of income exempted from AMT has been their temporary fix, and what that amount will be for 2012 is what Congress has yet to decide. Complicating the issue is that the AMT as it is currently structured provides a significant amount of tax revenue that Congress is reluctant to concede without a replacement. Most analysts have been predicting the higher exemptions will be extended for 2012, and possibly into 2013. But you never know, and we will have to wait and see.

There are planning techniques that can be used to avoid or mitigate the effects of the AMT. If you anticipate an AMT problem this year, it may be appropriate for you to make an appointment to see if there are any steps that can be taken to alleviate the effects of the AMT in your specific tax situation.

WEEKEND VULNERABILITY AND PATCH REPORT

November 4, 2012

IMPORTANT SECURITY UPDATES

Apple iOS : Apple has released an update to its OS for iPhone 3GS and later, iPad and iPod touch to fix 4 highly critical vulnerabilities. Update to iOS 6.0.1 from Apple's website.

Apple Safari: Apple has released an update to Safari running in OS X Lion and OS X Mountain Lion to fix 2 highly critical vulnerabilities. Update to version 6.0.2 from within the Apple menu.

CURRENT SOFTWARE VERSIONS

Adobe Flash 11.4.402.287 [Windows: Internet Explorer, Firefox, Mozilla, Netscape, Opera, Safari]

Adobe Flash 11.4.402.287 [Mac OS X: Firefox, Opera, Safari]

Adobe Reader 11.0 [Warning; see below]

Apple QuickTime 7.7.2

Apple Safari 5.1.7 [Windows, See warning below]

Apple Safari 6.0.2 [Mac OS X]

Google Chrome 22.0.1229.94

Internet Explorer 9.0.8112.16421

Mozilla Firefox 16.0.2

IMPORTANT UNPACHTCHED VULNERABILITIES

D-Link Wireless N300: Secunia reports a moderately critical vulnerability in firmware of the Wireless N300 Cloud Router version 1.10 and 1.12; other versions may also be affected. No solution is currently available.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remains unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.

Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.

ACD Systems: Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals. The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.

ACD Systems Canvas: Secunia reports at least 13 highly critical unpatched vulnerabilities in ACD Systems Canvas version 14. See Weekend Vulnerability and Patch Report, August 5, 2012.
ACD See 14.x: Secunia reports a highly critical unpatched vulnerability in ACD See. See Weekend Vulnerability and Patch Report, February 19, 2012.
ACD See Photo: Several highly critical unpatched vulnerabilities have been identified in various ACD See photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. See Weekend Vulnerability and Patch Report, June 12, 2011. See also Weekend Vulnerability and Patch Report, September 18, 2011 where we alerted readers to a second vulnerability in FotoSlate.
ACD Systems Canvas CorelDRAW: A highly critical unpatched vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system. See Weekend Vulnerability and Patch Report, July 31, 2011.

If you are responsible for the security of your computer, our weekly report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find vulnerability, they usually issue an update patch to fix the code running in their customer's computers.

John Ellis CPA at the John Ellis Company

Sunday, November 18, 2012

Important Security Updates

Current Software Versions

For Your IT Department

Important Unpatched Vulnerabilities

Thursday, November 15, 2012

Monday, November 12, 2012

IMPORTANT SECURITY UPDATES

Friday, November 9, 2012

Monday, November 5, 2012

IMPORTANT SECURITY UPDATES

CURRENT SOFTWARE VERSIONS

IMPORTANT UNPACHTCHED VULNERABILITIES

8 hour New York Gold Chart [$US Dollar price per ounce]

Oil Price Dashboard

Blog Archive

About The John Ellis Company

Followers