Security updates from major companies dominated headlines this week, as Microsoft, Apple, Adobe and Oracle pushed out critical patches. Many of the fixed vulnerabilities, if exploited, would have given remote attackers the ability to execute code on the compromised systems.
The week began with Microsoft releasing its Patch Tuesday updates, fixing 64 bugs across 17 bulletins. In this biggest Patch Tuesday to-date, the fixes for Internet Explorer and for the file-sharing protocol Samba had the highest priority, according to Microsoft in its release bulletin. Microsoft also addressed 30 issues with the Windows kernel, the heart of the operating system, to prevent malware from executing with administrative privileges. IT administrators were encouraged to apply the updates because practically every operating system and other commonly-used software programs were affected.
Oracle announced it will be addressing 73 vulnerabilities in its quarterly update scheduled for next week, on April 19. The Critical Patch Update will affect several Oracle products other than the flagship database software. Oracle plans to release patches fixing six issues in the Oracle database, 14 in the PeopleSoft suite, 8 in JD Edwards suite and three in Siebel CRM. Some server-side Java patches are also expected, but not for client-side Java, which will be available June 7.
Apple announced three minor updates this week as well, for iOS, Safari and a general update for Mac OS X. The iOS update was released in two versions, 4.3.2 for GSM-based iPhones, recent versions of the iPod Touch, the original iPad and the iPad 2, and as 4.2.7 for the CDMA-based iPhones. This was the first update for Verizon customers since February. The iOS updates and the latest Safari version addressed multiple WebKit vulnerabilities that had been identified during CanSecWest’s Pwn2Own competition in March. Apple also addressed the fraudulent certificates mistakenly issued by a Comodo partner mid-March in the Security Update for Mac OS X.
Adobe ended the week by releasing an updated Flash Player to fix yet another zero-day bug. An exploit, a malicious Flash file embedded inside a Microsoft Word document emailed as an attachment to unsuspecting victims, was already in the wild, according to the security advisory issued earlier in the week.
Former presidential rivals Sens. John Kerry and John McCain jointly introduced the long anticipated consumer bill of rights in the Senate. The privacy bill, if passed, would require companies to inform consumers what data was being collected and to provide a very clear way to opt-out.
The White House also unveiled the final version of the National Strategy for Trusted Identities in Cyberspace, a plan that would create a trusted identity ecosystem that consumers can use to protect themselves from fraud and identity theft when online.
Everything is bigger in Texas, and data breaches don’t appear to be an exception. The state comptroller’s office announced that personal data for 3.5 million residents had been accidentally exposed on a publicly available FTP server for at least a year.