Security Vulnerabilities near Apocalyptic Proportions

We’ve had a heck of a week in the security world. I really don’t know where to begin. Most people think of the Apocalypse as the end of the world but the origin of the term is the “disclosure to certain privileged persons of something hidden from the majority of humankind”. That’s what happen this week. Those who were paying attention were informed about a number of security flaws that hopefully have been corrected. If you haven’t taken advantage of these updates you should.

The first came from Microsoft with what’s called an “out of band” security update. If you think it sounds serious, you’re correct. If you don’t have automatic updates on your Windows machine, it’s time to run the Windows update program.

Microsoft Security Advisory 973882
Microsoft Security Bulletins MS09-034 and MS09-035

Also on Tuesday the folks at Mozilla admitted there’s a vulnerability in Firefox where “The URL in the address bar can be spoofed when a new window or tab is opened by a malicious web page.” This could result in a phishing attack and not necessarily a huge issue. Mozilla has found and fixed this issue which will be rolled out in the next release.

On Thursday Adobe announced “Security updates available for Adobe Flash Player.“ This vulnerability could allow an attacker to take control of your machine if you’re running Windows, Mac OS and even Linux. More info at http://www.adobe.com/support/security/bulletins/apsb09-10.html. Adobe also recognizes that their Shockwave Player is affected by the recent Microsoft advisory so they recommend upgrading to the newest Shockwave Player at http://www.adobe.com/support/security/bulletins/apsb09-11.html

The fun really began at the BlackHat Security conference when three researchers acknowledged they provided Apple with details on how they could hack into and take control of someone's iPhone. They gave Apple two weeks to fix the problem before making the information public. Apple announced today they will be updating users the next time they plug their iPhones into their computers. Unfortunately, one of the vulnerabilities discovered affects more than just the iPhone. A large number of phones which accept SMS messaging may be at risk.

Before you want to go running for the hills I’ll share one last bit of news. Remember all the talk earlier this year about the Conficker virus? Well, stay-tuned this month to hear about the financial trojan called Clampi. This one may also get more attention then you think it deserves but there’s no doubt what the purpose of Clampi is. It’s all about the money.

“Clampi banking trojan misdirects business wire transfers.”

Have a great weekend!