Skip to Content
 > TRU Home > Information Technology Services > Information Security > Alerts
Security Updates Available for Adobe Flash Player

Adobe has released security updates for Adobe Flash Player
11.7.700.169 and earlier versions for Windows and Macintosh, Adobe
Flash Player and earlier versions for Linux, Adobe Flash
Player and earlier versions for Android 4.x, and Adobe
Flash Player and earlier versions for Android 3.x and
2.x. These updates address memory corruption vulnerabilities that
could cause a crash and potentially allow an attacker to take control
of the affected system.
Adobe recommends users update their product installations to the latest versions.

Security Updates Available for Adobe Reader and Acrobat 

Adobe has released security updates for Adobe Reader and Acrobat XI
(11.0.02) and earlier versions for Windows and Macintosh, and Adobe

Reader 9.5.4 and earlier 9.x versions for Linux. These updates
address vulnerabilities that could cause a crash and potentially
allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions.

Mozilla Releases Firefox 21, Fixes Eight Security Issues

Mozilla released Firefox 21 today for Mac, Windows, and Linux as well
as Android. The release fixes eight security issues, with three rated
Critical and four rated High:
MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-45 Mozilla Updater fails to update some Windows Registry entries
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-43 File input control has access to full path
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

Firefox 21 brings several new features, including three "Do Not
Track" options, Firefox Health Report, startup suggestions to help
users improve performance, and an expanded Social API [1].
[1] Firefox Release Notes

Microsoft "Fix it" Available to Mitigate Internet Explorer 8 Vulnerability 

Microsoft has updated Security Advisory 2847140 [1] to include a "Fix

it" mitigation for the Internet Explorer 8 zero-day vulnerability
that was first discovered on a compromised sub-site of the US

Department of Labor. The "Fix it", which does not requre a reboot,
makes a "small change" to mshtml.dll whenever IE is loaded. Microsoft
says that a full update to close the hole is currently being tested,
and Microsoft hopes to release that tomorrow in its scheduled patches
on Tuesday, May 14 [2].  

[1] "Microsoft Releases Security Advisory for Vulnerability in IE
Used in DoL Attack Last Week", Daily Watch Report, 05/06/2013.
[2] Advance Notification Service for the May 2013 Security Bulletin Release

Security Updates Available for Adobe Flash Player

Adobe released updates today to address four flaws in Adobe's Flash
Player, which could could cause a crash and potentially allow an
attacker to take control of the affected system. The advisory notes
that an integer overflow (CVE-2013-2555) vulnerability and three
memory corruption (CVE-2013-1378, CVE-2013-1380, and CVE-2013-1379)
issues were all fixed in the update to version 11.7.700.169 on

Windows and Mac OS X.

Adobe Flash Player 11.6.602.180 installed with Google Chrome will
automatically be updated to the latest Google Chrome version, which
will include Adobe Flash Player 11.7.700.179 for Windows and
11.7.700.169 for Macintosh and Linux. Adobe Flash Player 11.6.602.180
installed with Internet Explorer 10 will automatically be updated to
the latest Internet Explorer 10 version, which will include Adobe
Flash Player 11.7.700.169 for Windows 8 [1].

There are also updates for the Linux version (, the
Android 4.x version ( and the version for Android 3.x/2.x
( and an update for Adobe AIR, to version, on
all platforms.

[1] Microsoft Security Advisory (2755801): Update for Vulnerabilitiesin Adobe Flash Player in Internet Explorer 10

Security Update Available for Adobe Shockwave Player

Adobe has released a security update for Adobe Shockwave Player and earlier versions on the Windows and Macintosh
operating systems. This update addresses buffer overflow

(CVE-2013-1383), memory corruption (CVE-2013-1384, CVE-2013-1386),
and memory leakage (CVE-2013-1385) vulnerabilities that could allow
an attacker, who successfully exploits these vulnerabilities, to run
malicious code on the affected system. Adobe recommends users of
Adobe Shockwave Player and earlier versions update to
Adobe Shockwave Player

Oracle Updates Java to Address CVE-2013-1493, More Vulnerabilities Reported

Oracle released update 17 for Java 7 and update 43 for Java 6 today
to address security issue CVE-2013-1493 and CVE-2013-0809, which are
both remotely exploitable without authentication [1] and have CVSS

Base Scores of 10.0. One of these vulnerabilities (CVE-2013-1493) has
recently been reported as being actively exploited by attackers to
maliciously install the McRat executable onto unsuspecting users'
machines. "Due to the severity of these vulnerabilities, and the
reported exploitation of CVE-2013-1493 'in the wild', Oracle strongly
recommends that customers apply the updates provided by this Security
Alert as soon as possible."
This update comes after Polish security firm Security Explorations
sent a vulnerability notice and Proof of Concept code to Oracle a
week ago for two issues affecting Java Updates 11 and 15 [2].

Security Explorations, however, is not listed in the credit statement
of the advisory, indicating the vulnerabilities they found still
exist. According to Security Explorations' vendors status page [3],
one of those issues (Issue 54) was recently denied by Oracle while
the other (Issue 55) was confirmed. The page also notes that today
the company sent another vulnerability notice and Proof of Concept
code to Oracle for five new issues (Issues 55-60).

[1] Oracle Security Alert for CVE-2013-1493

[2] "New Java Flaws Reported to Oracle", Daily Watch Report, 02/25/2013.
[3] SE-2012-01 Vendors status

See also:
Prompted by Oracle Rejection, Researcher Finds Five New Java Sandbox Vulnerabilities

Yahoo Vulnerability Allows Attackers to Hijack Accounts  

Brian Krebs reported a zero-day vulnerability in that lets

attackers hijack Yahoo! email accounts and redirect users to
malicious Web sites. The exploit, being sold for $700 by an Egyptian
hacker on an exclusive cybercrime forum, targets a cross-site
scripting (XSS) weakness in that allows attackers steal
cookies from Yahoo! Webmail users. Such a flaw would let attackers
send or read email from the victim's account.

The hacker posted a video to demonstrate the exploit. Krebs alerted
Yahoo! to the vulnerability, and the company says it is responding to
the issue. Ramses Martinez, director of security at Yahoo!, said the
challenge now is working out the exact URL that triggers
the exploit, which is difficult to discern from watching the video.

Millions of Home Networks Infected by ZeroAccess Botnet

A report [1] from network-based security and analytics vendor
Kindsight says that 2.2 million home networks were infected with the
ZeroAccess botnet in Q3 2012. This infection rate means that
advertisers are losing almost one million dollars a day due to click
fraud generated by the botnet, the report adds.
Kindsight's report mirrors the findings from SophosLabs' technical
report on ZeroAccess[2] and geographic data released by F-Secure [3],
in that some 2.2 million systems in North America were infected by
ZeroAccess in Q3 2012, or 1 in 25 home networks. Given that click
fraud is one of the botnet's functions, Kindsight estimates that it
could be costing advertisers $900,000 per day.

[1] Kindsight Security Labs Malware Report - Q3 2012 [PDF]

[2] The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain

[3] The United States of ZeroAccess

LinkedIn is a Hacker's Dream Tool

This article discusses a hot topic at RSA's security conference last
month, citing one case study in which "self-described 'hacker for
hire' Ryan O'Horo demonstrated how he used LinkedIn to get inside a
client's corporate network....O'Horo created a fake account on
LinkedIn, posing as a company employee. He stocked the profile with
realistic details - a plausible job history and skill set - plus a
few credibility-establishing flourishes like a membership in a local
hockey league. From his dummy account, O'Horo sent out 300 connection
requests to current company employees. Sixty-six were accepted.
Next, O'Horo requested access to a private LinkedIn discussion forum
the company's employees had created. The group's moderators granted
his request without ever checking a company directory to confirm his
identity. 'Now I had an audience of 1,000 company employees,' O'Horo
said. 'I posted a link to the group wall that purported to be a beta
test sign-up page for a new project. In two days, I got 87 hits - 40%
from inside the corporate network.'"

Attempts to Spread Mobile Malware in Tweets   

Symantec reports that tweeting is proving a popular method to direct users to the
Android.Opfake malware. This post "describes a series of Russian and
English-language tweets discussing software, mobile devices and dieting
topics containing links to sites distributing the Opfake malware. One Twitter
campaign identified by researchers sent over 130,000 malicious tweets from
100 accounts. Several of the Twitter accounts have since been suspended and
Symantec said it is working with Twitter to disable accounts that are sending
out malicious links"[1].  
[1]Cybercriminals Peddling Android Malware Through Twitter
TIPS: Tricks for upgrading your Android phone

The affected Android builds expose 802.1X passwords to applications on the phones that have permission to access the Wi-Fi state of the phone. The flaw doesn't allow access to the 802.1X settings themselves, it does allow viewing Wi-Fi credentials, according to a description of the flaw at the My War With Entropy blog by Bret Jordan.
So an application could gain access to stored SSIDs of Wi-Fi networks, user names and passwords. If the application also has Internet-access privileges, it could send along the stolen credentials to attackers.
If the stolen credentials are for corporate networks, they could be used to target data on those business networks, Jordan writes.

According to US-CERT, affected phones are:
• Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
• Glacier - Version FRG83
• Droid Incredible - Version FRF91
• Thunderbolt 4G - Version FRG83D
• Sensation Z710e - Version GRI40
• Sensation 4G - Version GRI40
• Desire S - Version GRI40
• EVO 3D - Version GRI40
• EVO 4G - Version GRI40

HTC and Google were told about the flaw last September and have been working to fix the problem and arrange for public disclosure. Jordan describes the companies as responsive and good to work with.

Facebook privacy: Uncovering 5 important settings

Facebook Pwn tool takes profile info, helps social engineers

A group of security researchers based in Egypt have created a tool that will make social engineering easier because it automates the collection of hidden Facebook profile data that is otherwise only accessible to friends in a user's network. Read More

Another Rash of "Who is Stalking Your Profile" Scams on Facebook

Social Networking Scams:

'Enable Dislike Button' scam spreading on Facebook

"Why are you tagged in this video?" Facebook Scam

"Visit the New Facebook" Scam

The top 50 passwords you should never use