Adobe Fixes Flash Player Vulnerability

Last week Adobe published an unscheduled emergency patch for Flash Player to address many critical security issues.

Systems affected:

  • Flash Player versions up to and including for Windows, Mac OS X, Linux and Solaris
  • Versions and earlier for Android

The Flash Player updates are the company’s response to a recently discovered universal cross-site scripting (XSS) hole. According to Adobe, the vulnerability is already being actively exploited by attackers to bypass the same origin policy, allowing them to, for example, take actions on a user’s behalf on any Web site, or steal a victim’s cookies. For an attack to be successful, a victim must click on a malicious link.

Get latest Adobe Flash Player.


One-Third of Massachusetts Residents Have Data Compromised

As posted in an article in Network World, personal information on about one-third of Massachusetts residents has been compromised. This number comes from the state’s attorney general (AG), Martha Coakley, citing statistics gleaned from the tough data breach reporting law. About 2.1 million of the state’s roughly 6.6 million residents had some form of personal data put at risk in 1,166 reported theft incidents the AG said, according to a report in the Boston Globe.

Coakley was citing numbers gathered from the start of 2010 through August 2011. She said she is reviewing the data to see whether the law, which imposes heavy fines for non-compliance by entities entrusted with this information, is cutting back on breaches that lead to compromises.

The cause? The AG said a combination of hacking, errors by employees, and a growing body of personal data stored electronically by businesses will put that data at more risk over time. The largest breach in the time period the AG is reviewing involved information on about 800,000 people that was lost by a vendor hired to destroy it.

Try the data breach quiz to test your awareness of the problem.

Microsoft Security Updates for September 2011

Last week Tuesday Microsoft released multiple patches to fix vulnerabilities in the following systems:

  • Microsoft Windows
  • Microsoft Office
  • Microsoft Server Software

Microsoft published five bulletins categorized as “important” to close 15 holes. Most of the bulletins fix vulnerabilities in Microsoft Office, which attackers can use to inject malicious code and escalate rights. A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. The Windows Malicious Software Removal Tool also received current virus signatures. It is recommended to take the patches as they become available. The updates were released by MIT WAUS last week.

Microsoft Security Bulletin Summary.

Adobe Patches for Reader and Acrobat

September 13 was also Adobe’s patch day. The company’s patches closed critical holes in all currently maintained versions of Adobe Reader and Acrobat both for Windows and Mac.

See the bulletin for information on the updates and to access the latest downloads.

Windows 8 Has ‘Tons’ of Security Features

According to a recent article in the Register, Microsoft’s new operating system Windows 8 (still in Beta) will include several new security features, such as built-in virus protection that scans boot drives for malware. There is also built-in spam filtering.

You can view a video of last week’s presentation at the company’s BUILD conference in Anaheim, California as well as the full article at

Social Networking Safety Tips

This month’s “OUCH!” newsletter by the SANS Institute covers social networking sites such as Google+, Facebook, Twitter and LinkedIn. The newsletter covers the risks and how to use these sites safely.

Download the English version here (pdf).

Apache Denial-of-Service Update

In the last  Security FYI issue, we included a warning about the Apache webserver DoS (denial of service) attack vulnerability, in which a relatively low number of requests directed at the server cause a denial of service condition. After this warning went out, Red Hat released their patched Apache packages for RHEL 4, 5 and 6 on September 1. See the Red Hat security update.