Software Patches, Nortel, User Privacy Top Week's Security News

Practically everyone had a software update this week, as enterprises reeled from the revelation that Nortel had intruders monitoring its communications for almost a decade

Patches were on every administrator's mind this week, as Microsoft, Adobe, Google, Oracle and Mozilla all released security updates. Microsoft fixed 21 vulnerabilities, of which XXX was critical, as part of its February Patch Tuesday. This month's patches were unusual in the number of vulnerabilities fixed in newer versions of Internet Explorer and Windows.

Adobe released security updates over two days. On the first day, the company addressed vulnerabilities in its Shockwave Player and a help authoring tool. The company followed up with another update to Flash Player, and disclosed that one of the critical bugs fixed was already being exploited in the wild. The company didn't provide much detail or mitigation advice about the zero-day, other than to disclose the fact that it was being used in targeted attacks against Internet Explorer users on Windows.

"It sure would have been nice if Adobe bundled all their patches together," said Andrew Storms, director of security operations for nCircle.

Google updated its Chrome Web browser to include the patched Flash Player plug-in, and went ahead and fixed a serious flaw in the libpng library that could be remotely exploited. Mozilla followed suit two days later to fix the same bug in Firefox and Thunderbird.

Oracle fixed 14 security vulnerabilities in its Java Runtime Environment, of which five were rated critical.

The Wall Street Journal reported this week that cyber-attackers had breached Nortel Networks as early as 2000, and had remained in the environment for nearly a decade eavesdropping on emails and downloading files containing sensitive and proprietary data. A former Nortel employee disclosed how the intruders had used login credentials stolen by seven senior executives. It was likely that this kind of breach was occurring at other organizations but weren't being disclosed.

Congress asked Apple to clarify its stance on its iOS developer framework after reports emerged of iOS applications that were uploading and storing user contacts from mobile devices and storing it without informing users. It turned out a number of iOS apps were guilty of this practice. Apple has promised to update its privacy policy and framework to require developers to explicitly collect user consent.

On the positive side for user privacy, Twitter joined Google in the very exclusive HTTPS-enabled-by-default club. The micro-blogging site had rolled out the option to allow users to access via an encrypted connection last year, but had kept it off by default. The company decided to turn on the setting for all users to ensure the traffic is encrypted at all times.

Mozilla warned that issuing subordinate root certificates to customers to be used to eavesdrop on encrypted Secure Socket Layer (SSL) traffic would not be tolerated. Mozilla released a draft of a letter that it plans to send to all the certificate authorities in its trusted root list informing them that they have two months to make sure they are not engaged in this kind of a practice. The letter was prompted by Trustwave's disclosure last week that it had issued one such certificate to a customer, but had revoked it voluntarily.