Sunday, November 7, 2010

Weekend Vulnerability and Patch Report, November 5, 2010

Adobe Update for Flash Player: Adobe has now fixed the 0-day Flash vulnerability we reported last week. This update fixes 18 different security holes. Readers are urged to update their Flash version to v 10.1.102.64. Updates are available for Windows, Macintosh, Linux, and Solaris versions of Flash. If you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox or Google Chrome. The new version is available from this link, but be aware that if you accept all of the default settings, the update may include additional software, such as a toolbar or anti-virus scanner.

Microsoft Warns of New IE 0-Day Vulnerability: Microsoft warned Internet Explorer users that attackers are exploiting a previously unknown security hole in their browser to install malicious software on user workstations. User workstations can be compromised simply by visiting a compromised web site. (Compromised web sites are all-too-common. See our blog post of April 19: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August 16: Network Solutions Once Again Serves Up Malware.) Hopefully Microsoft will update IE on this week's Patch Tuesday. We recommend using Firefox with the No-Script add-on for Internet browsing, particularly until this 0-day is patched.

Mobile Banking Security Holes Discovered; Great Caution Urged: Be very careful  if you access your bank account from your iPhone or Android. Security research firm viaForensics reports that mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes. The bugs could potentially allow a hacker to learn your username, password, and financial information. Information could be stolen just by visiting a malicious website. According to The Wall Street Journal and Yahoo News, Wells Fargo and USAA have already released updates, Bank of America should have an update out in the next few days, and TD Ameritrade will fix the issue in the next 30 days. We continue to urge great caution in mobile online banking. If you don't absolutely need it, don't use it. Readers who must use mobile online banking are urged to upgrade their online bank apps as quickly as upgrades become available.

Beware of ThinkPoint and Other Fake Anti-Virus Products: A small business we know was recently infected with ThinkPoint. It was delivered via a fake Microsoft Security Essentials Alert that was clicked on by an unsuspecting employee. Once installed, ThinkPoint tried to prevent the company from using the workstation until it paid money to buy a licensed version of useless software. ThinkPoint is just one more reminder of how users must be extremely careful what they allow to run on their computers. Don't trust a reminder to upgrade or install software unless you're sure it's legit. Set Microsoft to update automatically. Check Adobe products regularly. Follow our alerts. Better safe than sorry.

If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.

 
© Copyright 2010. Citadel Information Group. All Rights Reserved.