If you use any type of mobile device in your day to day life….keep reading. Ignorance can only bring you so far!
Two separate studies of mobile devices have found serious privacy and security issues. One of the studies found that smartphones and tablet PCs can be eavesdropped on when they are being used to make purchases, conduct online banking transactions, or access VPNs (virtual private networks). Another study uncovered a number of ways to break into Apple’s iOS, its operating system for mobile devices. It is likely that cyber criminals will increasingly turn to mobile devices in their attacks as the devices become more and more commonplace in business transactions.
- New security flaws detected in mobile devices (usatoday.com)
- ThreatMetrix Releases Data on Mobile Device Transactions: Will Android Beat iOS on “Mobile Monday”? (prweb.com)
- Online Banking Trends (ally.com)
Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled. The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786.
Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability.
This advisory is available at the following link:
- Cisco Security Advisory: Cisco Small Business SRP 500 Series (netsecurityit.wordpress.com)
- Cisco: Multiple Vulnerabilities; ASA 5500, Catalyst 6500 (netsecurityit.wordpress.com)
- Cisco Security Advisory: Cisco NX-OS (netsecurityit.wordpress.com)
- Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers (netsecurityit.wordpress.com)
Safari: Closes 80 Security Holes with version 5.1.4
Apple has released version 5.1.4 of its Safari web browser for Windows and Mac OS X. According to the company, the maintenance and security update addresses more than 80 vulnerabilities. The update also includes includes various stability and performance improvements as well as fixes for other non-security related bugs.
A majority of the security holes closed in 5.1.4 were found in the WebKit browser engine used by Safari. These include several cross-site scripting (XSS), cross-origin and HTTP authentication problems, as well as numerous memory corruption bugs that could be exploited by an attacker, for example, to cause unexpected application termination or arbitrary code execution.
The recent issue, where Google were accused of bypassing Safari’s privacy controls on cookies, also appears to have been addressed. Details of how Apple have fixed this though are not given. A bug in Safari’s Private Browsing mode that allowed page visits to be recorded in the browser history when the mode was active has been fixed.
On Windows systems, the browser update improves domain name validity checking in order to prevent attackers from using look-alike characters in a URL to visually spoof a legitimate domain and direct users to a malicious site – Mac OS X systems were not affected by this issue.
More can be found here: http://www.h-online.com/security/news/item/Safari-update-closes-security-holes-1470595.html
- Apple patches steaming heap of Safari bugs (go.theregister.com)
- Apple patches record number of Safari 5 bugs with monster update (infoworld.com)
- Apple releases Safari 5.1.4 update (applescoop.com)
- Apple Releases Safari 5.1.4 With Speed And Stability Improvements (cultofmac.com)
From SophosLabs: on March 6, 2012
The patch addresses two CVEs in Flash Player, CVE-2012-0768 and CVE-2012-0769, both reported to Adobe by Google researchers.
Chrome users should restart their browser as soon as possible as Google has automatically provided the fix in the latest Chrome update.
CVE-2012-0768 is a memory corruption vulnerability that could lead to remote code execution by exploiting a flaw in Matrix3D.
CVE-2012-0769 is an information disclosure vulnerability as a result of integer errors in Flash Player.
As always we recommend deploying these updates as soon as possible. While we do not have any evidence of these flaws being exploited in the wild, past patterns indicate it won’t be long.
- Adobe Patches Flash Player for Second Time in 20 Days (pcworld.com)
- Adobe patches Flash Player for second time in 20 days (infoworld.com)
- Google patches 14 Chrome bugs, pays record $47K in bounties and bonuses (macworld.com)
- Important BlackBerry Tablet OS Update: Includes Fix for Adobe Flash Player (blogs.blackberry.com)