It was the week of patches as Microsoft finished off the year with 13 security bulletins in its December Patch Tuesday. While the number of vulnerabilities fixed was on par with previous months, the low number of “critical” patches raised some eyebrows. Only three were considered critical, while the remaining 10 were rated “important” and covered a hodgepodge of bugs.
While the Windows Media drive-by flaw and the TrueType font parsing zero-day vulnerability exploited by the Duqu Trojan were fixed, Microsoft at the last minute held back the patch that would have closed the Secure Sockets Layer vulnerability affecting Web servers that is being targeted by the BEAST exploit tool. Microsoft said the patch was delayed because there are some testing issues with a third-party vendor.
Adobe had two updates the week of Dec. 12, rolling out an update to its ColdFusion Web application development platform on the same day as Microsoft’s Patch Tuesday, as well as an out-of-band patch to close a zero-day vulnerability in Adobe Reader and Acrobat 9.x. The ColdFusion patch, rated “important,” closed a flaw that would have allowed attackers to launch a cross-site scripting attack, Adobe said.
The zero-day vulnerabilities in Adobe Reader and Acrobat 9.x were related to memory corruption issues in the technology used by the programs to manipulate 3D objects. While the issue existed in both Adobe Reader and Acrobat 9.x and X, Adobe fixed only version 9 because there was an active exploit in the wild taking advantage of the flaw on the Windows platform. Reader and Acrobat X and the programs for Unix and Mac OS X will be patched as part of the quarterly software update on Jan. 10 because Adobe is confident that those platforms are less vulnerable to this exploit.
Microsoft also announced that Internet Explorer will be silently updated to the latest version for users who have Automatic Updates enabled on their Windows machines beginning in January. All users on Windows XP will be upgraded to IE8, and subsequent updates will be applied silently, making it one less thing for users to have to worry about. Vista and Windows 7 users will be upgraded to IE9.
Carrier IQ continued to generate controversy as congressional lawmakers demanded to know how its monitoring software is being used by the mobile carriers and exactly what kind of information is being collected from smartphones.
The company also released a detailed document explaining in greater detail what the software is capable of collecting, how it stores the collected information and what is done with the data. At the same time, a blogger filed a Freedom of Information Act request to the FBI to find out what kind of information the law enforcement agency had in regard to the Carrier IQ software agent. The FBI rejected the request, claiming the information is needed in a potential investigation. The Federal Trade Commission then announced it is looking into the complaints about Carrier IQ.
Research In Motion spelled out how Carrier IQ’s IQ Agent can be removed from its devices, while Sprint announced it will stop using the software and will not use any of the data that has been collected.
Researchers found vulnerabilities in Windows Phone and Google Wallet this past week. A WinRumors reader inadvertently uncovered a flaw in Windows Phone that causes the device to disable its entire messaging capability when receiving a maliciously crafted SMS message. And researchers at viaForensics audited the Google Wallet app and service on a rooted Android device and determined the Wallet app is not properly securing sensitive personal information on the device. If the data is somehow intercepted, the attacker will have enough to launch a social engineering attack to obtain the credit card information, researchers said.