We'll start with November's Patch Tuesday and go forward from there. The final article linked below is definitely something anyone who uses open WiFi hotspots in Starbucks and other places should read. Also, if you use Flash Player or Adobe Reader, both have had critical patches in the last month. If your systems haven't been updated, you need to patch them NOW. Foxit Reader has also had an update. IE 6 and 7 have an unpatched flaw which is being exploited "in the wild", so avoid using IE if you possibly can.
November Patch Tuesday: Critical security holes in Microsoft Office | ZDNet
By Ryan Naraine | November 9, 2010, 10:43am PSTMore links:
Microsoft has shipped a patch for to fix several critical security holes affecting its Office productivity suite and warned that hackers can use RTF (Rich Text Format) e-mails to launch code execution attacks.
The MS10-087 bulletin, which is considered a high-priority update, patches a total of 5 documented vulnerabilities affecting all currently supported Microsoft Office products.
It is rated critical for Office 2007 and Office 2010 because of a preview pane vector in Microsoft Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF file, the company explained.
- SANS: November 2010 Microsoft Black Tuesday Summary
- Microsoft Plugs Office Holes, But No IE Fix Yet — Krebs on Security
Mac OS X security flaw publicized after Apple fails to patch | ZDNet
By Ryan Naraine | November 10, 2010, 12:23pm PSTMore links:
Penetration testing specialists Core Security has publicly released information on a serious security vulnerability in Apple’s Mac OS X and criticized the computer maker for delaying the release of a patch.
The vulnerability, which only affects Apple Mac OS X v10.5, could allow hackers to take complete control of a vulnerable machine via malicious PDF files.
In an advisory, Core Security said Apple claims it already has a patch prepared for this issue but failed to release the fix despite several promises.
Apple did not give any reasons for skipping the patch release.
Flash Update Plugs 18 Security Holes — Krebs on Security
[ASF: November 4th, 2010]More links:
Adobe on Thursday released an update to its Flash Player software that fixes at least 18 security vulnerabilities, including one that is being exploited in targeted attacks.
Critical Updates for Adobe Reader, Acrobat — Krebs on Security
[ASF: November 16th, 2010]More links:
Adobe on Tuesday issued a critical update to patch at least two security holes in its PDF Reader and Acrobat software, including one flaw that was publicly disclosed earlier this month.
- Adobe patches under-attack Reader bug
- Adobe - Security Bulletins: APSB10-28 - Security updates available for Adobe Reader and Acrobat
By Gregg Keizer, Computerworld - November 18, 2010 02:01 PM ETMore links:
Adobe today released Reader X, the next version of its popular software that includes a "sandbox" designed to protect users from PDF attacks.
Reader X on Windows features Protected Mode, a technology that isolates system processes, preventing or at least hindering malware from escaping the application to wreak havoc on the computer.
The new version is also available for Mac OS X and Android, but those editions lack the sandbox.
Apple patches critical 'drive-by' Safari bugs
By Gregg Keizer, Computerworld - November 18, 2010 02:01 PM ET
Apple today patched 27 vulnerabilities in Safari for Mac OS X and Windows, 85% of them critical bugs that could be exploited to hijack Macs or PCs.
Internet Explorer 0-day Malware Infects Amnesty International Hong Kong Website Visitors | CyberInsecure.com
Visitors to Amnesty International’s Hong Kong website are being bombarded with a host of lethal exploits, including one that attacks an unpatched vulnerability in Microsoft’s Internet Explorer browser, researchers at security firm Websense said.
The injected IE attack code resides directly on the pages of amnesty.org.hk, an indication that the perpetrators were able to penetrate deep into the website’s security defenses. The code exploits a vulnerability disclosed last week that gives attackers complete control over machines running default versions of IE 6 and 7. Version 8 isn’t vulnerable, thanks to security protections built into the browser.
Firesheep Exposes Need For Encryption -- InformationWeek
Using Facebook, Twitter, Yelp, Flickr, or other Web services on an open WiFi network could lead to lead to account hijacking.
An open-source Firefox extension called Firesheep has shined a spotlight on just how insecure it is to use unprotected WiFi networks.
It's widely known that unprotected WiFi networks make sensitive data readily available for anyone with the technical skill necessary to find it ...
Firesheep, which allows anyone to scan unprotected WiFi networks for users who are logged into Facebook, Twitter, Google, Amazon, and a variety of other Web 2.0 services and to impersonate those users by hijacking their session cookie.
"On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy," wrote Firesheep creator Eric Butler in a blog post. "This is a widely known problem that has been talked about to death, yet very popular Web sites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the Web as HTTPS or SSL."