This is a roundup of the most important security vulnerability alerts announced and patches issued, between March 10 through 23, 2011. Most affect Windows, operating systems, but some also target Macintosh and Linux computers. By applying vendors' patches as they are released you can keep your computers secured against the exploits targeting these vulnerabilities.
The following security alerts were issued in the past two weeks, with the latest first and the oldest last (FILO logic).
Fraudulent SSL Certificates
March 23, 2011
There have been recent published reports about the existence of at least nine fraudulent "Comodo" SSL certificates. These fake SSL certificates could be used by an attacker to masquerade as a trusted website. Multiple web browser vendors have provided updates to recognize and block these fraudulent SSL certificates.
Mozilla has updated Firefox 4.0, 3.6, and 3.5 which you get by upgrading your Firefox browser via Help > "Check for updates." Firefox 3.6.16 blacklists a few of the now invalid HTTPS certificates.
Microsoft has released a revised list of trusted root certificates for Internet Explorer browsers, which you can obtain via Windows Updates (under "Express").
Finally, Google Chrome was updated on March 22 to version 10.0.648.151 for Windows, Mac, Linux and Chrome Frame. This release blacklists the revoked Comodo HTTPS certificates.
Adobe Releases Security Updates for Reader and Acrobat
March 22, 2011
Adobe has released updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address a vulnerability in the authplay.dll component. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. End users and system administrators should review Adobe security bulletin APSB11-06 and apply any necessary updates to help offset the risks posed by this vulnerability.
Apple patches 56 bugs in Mac OS X
March 22, 2011
Apple on Monday patched 56 vulnerabilities, most of them critical flaws that could be used to hijack machines running Mac OS X, code-named "Snow Leopard." The patched version is 10.6.7.
Of the 56 bugs patched in the update for Snow Leopard, 45 were included the description that exploitation could lead to arbitrary code execution. Translated, that means complete system takeover is possible (even on a Mac!).
According to Apple's advisory , more than a dozen of the bugs can be exploited by "drive-by" attacks that execute as soon as a victim browses to a malicious Web site with an unpatched edition of Mac OS X.
The update to Mac OS X 10.6.7 also fixed several non-security bugs including issues in the AirPort Wi-Fi driver and other usability and stability improvements.
Use your Apple software updater to obtain the latest version of OS X.
Adobe Releases Flash Player Update
March 21, 2011
Adobe has released an update for Flash Player to address multiple vulnerabilities (see this Adobe bulletin). These vulnerabilities affect Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.106.16 and earlier versions for Android. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service attack or execute arbitrary code.
PC owners should upgrade to Adobe Flash Player 10.2.152.26 by downloading it from the Adobe Flash Player Download Center.
Users of Flash Player for Android version 10.1.106.16 and earlier can update to Flash Player version 10.2.156.12 by browsing to the Android Marketplace on an Android phone.
Google Releases Chrome 10.0.648.134
March 17, 2011
Google released Chrome 10.0.648.134 for Windows, Mac, Linux, and Chrome Frame. This release contains an updated version of the Adobe Flash player that addresses a vulnerability. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.
Note, the March 22 Chrome release includes and supersedes this one.
Apple Releases Safari 5.0.4
March 10, 2011
Apple has released Safari 5.0.4 to address multiple vulnerabilities in the ImageIO, libxml, and WebKit packages. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or conduct cross-site scripting attacks.
Users of Safari browsers should review Apple article HT4566 and apply any necessary updates to help mitigate the risks.
Apple Releases iOS 4.3
March 10, 2011
Apple has released iOS 4.3 for the iPhone 3 GS and later, iPod touch (3rd generation) and later, and iPad to address multiple vulnerabilities. These vulnerabilities affect the CoreGraphics, ImageIO, libxml, Networking, Safari, and WebKit packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
Users of these devices should review Apple article HT4564 and apply any necessary updates to help mitigate the risks.
Finally,there was a security advisory published on March 16, for the owners of Blackberry devices: "Vulnerability in WebKit browser engine impacts BlackBerry Device Software version 6.0 and later" The details are as follows:
A vulnerability exists in the open source WebKit browser engine provided in BlackBerry Device Software version 6.0 and later. The issue could result in remote code execution (RCE) on affected BlackBerry smartphones. Successful exploitation of the vulnerability requires the user to browse to a website that the attacker has maliciously designed. The attacker would then be able to read or write to the built-in media storage section of a BlackBerry smartphone or to the media card, but not to access user data that the email, calendar and contact applications store in the application storage (the internal file system that stores application data and user data) of the BlackBerry smartphone.
Application storage is the only place on a device from which applications can be run. Sections of application storage can store files that a user downloads or saves to device memory. Exploitation of the vulnerability does not allow access to this part of BlackBerry smartphone memory.
Finally, you should keep an up to date version of the best anti-everything program you can afford on every computer that connects to the Internet, or into which you plug a USB memory device (they get infected too). If you want my recommendation, try out Trend Micro Internet Security products, like Trend Micro's Titanium Maximum Security suite.If you decide to buy a subscription, use coupon code: spring30 in the shopping cart and you will save 30% off the regular price. This discount code ends on April 25, 2011, so download the program and evaluate it for free for a month, but use the discount code before it expires.
back to top ^