Monday, February 06, 2012

Vulnerability and Patch Report for the week of February 6, 2012

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.


Important Security Updates  
Apple Mac OS X 10.7.3: Apple has released a security update to Mac OS X to patch several highly critical vulnerabilities. Updates are available through Apple's website.

HTC Products: HTC has released updates to several of its products to patch a common vulnerability. Updates are available through HTC's update channel.

Mozilla Firefox 3.6.26 / Thunderbird 3.1.18: Mozilla has released a security update to patch several highly critical vulnerabilities. We first alerted readers to these vulnerabilities in Weekend Vulnerability and Patch Report, January 15, 2012. Updates are available through the programs.

Mozilla Firefox 10.0 /  Thunderbird 10.0: Mozilla has released a security update to patch several highly critical vulnerabilities. We first alerted readers to these vulnerabilities in Weekend Vulnerability and Patch Report, January 15, 2012. Updates are available through the programs.
 
Mozilla SeaMonkey 2.7: Mozilla has released a security update to patch several highly critical vulnerabilities. Updates are available through the program.
 
RoboForm 7.7.0: Roboform has updated its popular password management program. The update is available through the program.
 
Skype 5.8.0.154: Skype has released an update to patch a moderately critical vulnerability. The update is available through the program. [Note: When I tried to update Skype from within the program, Skype reported it was up-to-date. To update Skype, I had to download Skype from Skype's website and re-install the program.]

Current Software Versions

Adobe Flash 11.1.102.55 [Warning; see below]
Adobe Reader 10.1.2
Apple QuickTime 7.7.1
Apple Safari 5.1.2  [Warning; see below]
Google Chrome 16.0.912.77
Internet Explorer 9.0.8112.16421
Java SE 6 Update 30
Mozilla Firefox 10.0

Newly Announced Un-patched Vulnerabilities

None

Special Advisory Warning

Symantec pcAnywhere: As we reported last week in our Cyber Security News of the Week, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.

For Your IT Department

None

Important Un-patched Vulnerabilities

ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open un-trusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12, 2011. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18, 2011.

ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user's system. Users should not view un-trusted CDR files. Readers should refrain from opening un-trusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11,2011 remains un-patched. We recommend users disable the Flash player in their browsers.

Android Browser: Secunia reports a vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Apple Safari: Secunia reports a non-critical un-patched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.  

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain un-patched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11, 2011.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains un-patched. Users are advised to not open files from un-trusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

McAfee SaaS: The highly critical vulnerability in McAfee SaaS Endpoint Protection  remains un-patched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 22, 2012.  

Microsoft Windows: Secunia reports a highly critical un-patched vulnerability in Windows 7 Professional 64-bit. Other versions may also be affected. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.

Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening un-trusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains un-patched.  Readers should refrain from opening un-trusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain un-patched. Readers should refrain from opening un-trusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.

Photoshop Elements: Adobe versions 1 - 8 contain a highly critical un-patched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user's system. Users should not view un-trusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

VLC Media Player: VLC has released an advisory regarding a highly critical un-patched vulnerability in versions 0.9.0 through 1.1.12. VLC has announced that media player 1.1.13 will address the issue. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.


If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week's important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

SecurityRecruiter.com's Security Recruiter Blog