Monday, December 12, 2011

Weekend Vulnerability and Patch Report, December 12, 2011

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates
Blackberry Tablet OS. Blackberry has released version 1.0.8.6067 to patch a security vulnerability. More information is available from Blackberry's Advisory.

Foxit Reader: Foxit has released version 5.1.3 to patch a highly critical vulnerability. More information and a link to download the updated version is available from Foxit's Advisory.

Opera Browser: Opera has released version 11.60 to patch multiple moderately critical vulnerabilities. Users can download the update from Opera's website.


Current Software Versions

Adobe Flash: The current version is 11.1.102.55 [Warning; see below]

Adobe Reader:The current version is 10.1.1 [Warning; see below]

Apple QuickTime: The current version is 7.71.80.42

Apple Safari: The current version is 5.34.52.7

Google Chrome: The current version is 15.0.874.121

Internet Explorer: The current update version is IE9.0.8112.16421

Java: The current version is SE 6 Update 29.

Mozilla Firefox: The current version is 8.0.1.


Newly Announced Unpatched Vulnerabilities

Adobe Flash: Secunia reports that a highly critical vulnerability has been found in the Adobe Flash Player. No patch is available at this time. We recommend users disable the Flash player in their browsers. See our Cyber Security News of the Week for more information on this vulnerability.

Adobe Reader: US-CERT reports that Adobe has released a Security Advisory for Adobe Reader and Acrobat to address an extremely critical vulnerability affecting Adobe Reader. We recommend users exercise extreme caution, opening PDF files only from trusted sources. Users may also want to consider alternative PDF readers such as Foxit, PDF-Xchange Viewer or Nitro PDF. See our Cyber Security News of the Week for more information on this vulnerability.

Multiple Browser Vulnerabilities: Secunia reports a common vulnerability affecting multiple web browsers, including Internet Explorer, Opera, Google Chrome and Firefox. We have no information at this time whether other browsers are affected. The vulnerability can be exploited by a malicious website to enumerate other sites visited by the user. Secunia recommends enabling "Private Browsing" when visiting untrusted websites.

For Your IT Department

Trend Micro Control Manager: Trend Micro has updated Control Manager to patch a moderately critical vulnerability. More information is available at Trend Micro's Advisory.


Important Unpatched Vulnerabilities

Adobe Photoshop Elements: Adobe versions 1 - 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.

ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18.

ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.

Firefox version 7 and Thunderbird version 7: As we reported in Weekend Vulnerability and Patch Report, November 13, 2011, multiple unpatched security vulnerabilities, several of them highly critical, have been reported in version 7 of Firefox and Mozilla. Mozilla recommends users upgrade to version 8.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.

Microsoft Office Publisher 2007: A moderately critical vulnerability has been reported in Microsoft Office Publisher. No patch is available at this time. Readers are advised to not use content from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 23, 2011.

Microsoft Windows: As we reported in Weekend Vulnerability and Patch Report, November 6, Microsoft has released a security advisory about a 0-day critical vulnerability in most supported versions of Windows, including Windows XP, Vista and 7. There is no patch at this time. According to Microsoft, for an attack to be successful, a user must open an attachment that is sent in an e-mail message.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.

Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user's computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched.  Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user's system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.

 If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week's important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

SecurityRecruiter.com's Security Recruiter Blog