Practically everyone had a software update this week, as enterprises reeled from the revelation that Nortel had intruders monitoring its communications for almost a decade
Patches were on every administrator's mind this week, as Microsoft,
Adobe, Google, Oracle and Mozilla all released security updates. Microsoft fixed
21 vulnerabilities, of which XXX was critical, as part of its February
. This month's patches were unusual in the number of vulnerabilities
fixed in newer versions of Internet Explorer and Windows.
Adobe released security updates over two days. On the first
day, the company addressed vulnerabilities in its Shockwave
and a help authoring tool. The company followed up with another
update to Flash
, and disclosed that one of the critical bugs fixed was already being
exploited in the wild. The company didn't provide much detail or mitigation
advice about the zero-day, other than to disclose the fact that it was being
used in targeted attacks against Internet Explorer users on Windows.
"It sure would have been nice if Adobe bundled all
their patches together," said Andrew Storms, director of security
operations for nCircle.
Google updated its Chrome
to include the patched Flash Player plug-in, and went ahead and
fixed a serious flaw in the libpng library that could be remotely exploited.
Mozilla followed suit two days later to fix the same bug in Firefox and
Oracle fixed 14 security vulnerabilities in its Java Runtime
Environment, of which five were rated critical.
The Wall Street Journal reported this week that
cyber-attackers had breached
as early as 2000, and had remained in the environment for
nearly a decade eavesdropping on emails and downloading files containing
sensitive and proprietary data. A former Nortel employee disclosed how the
intruders had used login credentials stolen by seven senior executives. It was
likely that this kind of breach was occurring
at other organizations
but weren't being disclosed.
Congress asked Apple to clarify its stance on its iOS
developer framework after reports emerged of iOS applications that were uploading
and storing user contacts
from mobile devices and storing it without
informing users. It turned out a number of iOS apps were guilty of this
practice. Apple has promised to update
to require developers to explicitly
collect user consent.
On the positive side for user privacy, Twitter joined Google
in the very exclusive HTTPS-enabled-by-default
club. The micro-blogging site had rolled out the option to allow users to
access Twitter.com via an encrypted connection last year, but had kept it off
by default. The company decided to turn on the setting for all users to ensure
the traffic is encrypted at all times.
Mozilla warned that issuing subordinate root certificates to
customers to be used to eavesdrop on encrypted Secure Socket Layer (SSL)
traffic would not be tolerated. Mozilla released a draft
of a letter
that it plans to send to all the certificate authorities in its
trusted root list informing them that they have two months to make sure they
are not engaged in this kind of a practice. The letter was prompted by
Trustwave's disclosure last week that it had issued one such certificate to a
customer, but had revoked it voluntarily.