Landmark Leadership Conferences for IT Executives
 
Weekend Vulnerability and Patch Report, February 3, 2013
by Fred F. Farkel, Monday, February 4th, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Apple iOS: Apple has released iOS 6.1 for the iPhone 3 GS and later, iPod touch 4th generation and later, and iPad 2 and later to address multiple vulnerabilities. The update is available through iTunes.

Apple TV: Apple has released an update to fix a vulnerability in its TV. To update to version 5.2, select Settings > General > Update Software through the TV.

D-Link Wireless Camera: D-Link has released two updates to fix a moderately critical vulnerability in two of its cameras; DCS-930L and DCS-932L. The updates are available for DCS-930L and DCS-932L through D-Link’s website.

Foxit PDF-Reader: Foxit has released version 5.4.5.0124 to fix a highly critical vulnerability. The update is available from Foxit’s website.

Java for Apple Mac OS X: Apple has released Java 1.6.0_37 for Mac OS X 10.6 Update 11 to fix at least 30 vulnerabilities, some of which are highly critical. Updates are available from Apple’s website.

Opera: Opera Software has released version 12.13 of its Opera browser to correcthighly critical vulnerabilities. The update is available from Opera Software’s website.

Oracle Java: Oracle has released Java 7 Update 13 to fix at least 39 extremely critical vulnerabilities. Note: The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

Current Software Versions

Adobe Flash 11.5.502.146 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.3.378.5 [Windows 8: IE]

Adobe Flash 11.5.502.146 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.01

Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 18.0.1 [Windows]

Google Chrome 24.0.1312.56

Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]

Internet Explorer 10.0.9200.16466 [Windows 8: IE]

Java SE 7 Update 13 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.3 (1680.64)

Safari 5.1.7  [Windows, See warning below]

Safari 6.0.2 [Mac OS X]

Skype 6.1.0.129

Newly Announced Unpatched Vulnerabilities

Universal Plug and Play (UPnP)US-CERT and others have announced that multiple critical vulnerabilities have been found in the software used by Universal Plug and Play. Rapid7 offers a free scanner that checks whether one’s network-enabled devices might be vulnerable to attack through the UPnP protocol. Rapid7s free scanning tool is available here. Cisco has acknowledged the problem in its Linksys routers here and its non-Linksys equipment here. Other router manufacturers have yet to comment. In line with industry recommendations, Citadel advises users to disable UPnP on endpoint devices that use the protocol on their internal network and on their Internet router. For ongoing information see the story on our Cyber Security News of the Week, February 3, 2013.

VLC Media Player: Secunia reports a highly critical vulnerability in VLC’s Media player, version 2.05 and prior. No patch is available at this time.

For Your IT Department

Cisco Multiple Products: Cisco has released updates for multiple products, including its NAC appliance, IOS XR, Adaptive Security Appliances (ASA), WebEx Social and others. Apply appropriate updates.

Novell GroupWise Client: Secunia reports at least 2 highly critical vulnerabilities in Novell’s GroupWise Client. Update to version 8.0.3 Hot Patch 2 (or later) or 2012 SP1 Hot Patch 1.

Oracle JavaFX: Secunia reports at least 13 highly critical vulnerabilities in Oracle’s JavaFX. Update to version 2.2.5.

VMWare: Secunia reports moderately critical vulnerabilities in several of VMWare’s products, including vSphereESXi, ESX Server and others. Apply appropriate patches and partial fixes.

Wireshark: Secunia reports at least 19 vulnerabilities, some of which are highly critical in Wireshark’s product. Update to version 1.8.5 or 1.6.13.

Important Unpatched Vulnerabilities

Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

AOL downloadUpdater2 Firefox Plugin: Secunia reports a highly critical vulnerabilityin version 1.3.0.0. Other versions may also be affected. No solution is currently available. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 12, 2012.

Apple Safari for Windows: Secunia reports a moderately critical vulnerability in Apple’s Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe Flash plug-ins. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 11, 2012.

Apple Safari for Windows: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.

HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability inWeekend Vulnerability and Patch Report, February 11, 2011.

HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.

Microsoft Windows XP: less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.

Microsoft Word: highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.

Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched.  Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.

PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.

Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.

Samsung / Dell Printers: Secunia reports a moderately critical security issue in Samsung’s ML-2580 and ML-4050 Monochrome Laser Printers and Dell’s 2145cn and 2335dn Multifunction Printers. We first alerted readers to this vulnerability inWeekend Vulnerability and Patch Report, December 2, 2012.

Samsung Galaxy S III: Secunia reports two highly critical vulnerabilities in the Galaxy S3 device. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 14, 2012.

Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.

VLC Media Player: As we reported in our Cyber Security News of the Week, December 16, 2012, Secunia reports a highly critical vulnerability in the VLC Media Player. No patch is available at this time.

ACD Systems: Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Comments Off on Weekend Vulnerability and Patch Report, February 3, 2013

Comments are closed.