Last week, critical security bugs were addressed with Apple-and Microsoft-issued updates, while HP scrambled to warn users about ProCurve switches shipped with malware. Here's a look at the security landscape for April 9-13.
HP Ships Malware Laden Flashcards: Last week, HP warned its users that some of its ProCurve switches, version 5400, shipped with malware-infected flash cards, which could potentially compromise users' systems if an infected flashcard were reused in their PC, according to HP's security advisory.
HP was scarce on details regarding what kind of malware the switches contained or how it could affect user's PCs, but recommended that users address the problem with one of two options: a software purge option that required users to download a script provided by the company designed to rid the flashcard of malware or a hardware replacement option that enabled users to address the issue by replacing the management module.
Apple Launches Flashback Tool: Weeks after the notorious Flashback Trojan ran amok on the Mac OS X platform, Apple has finally issued a removal tool, which eradicates the most common variants of the Trojan, according to an Apple security advisory. The update comes as Java SE 6 version 1.6.0_31 for OS X Lion 2012-003 and “supersedes all previous versions of Java for OS X Lion,” according to Apple.
Specifically, the tool automatically disables Java applets by default on all machines running Mac OS Lion. (The update does not automatically disable Java in the browser on Snow Leopard, although it still contains the Flashback removal software). However OS Lion users can easily re-enable Java applets with the Java Preferences application if they need to run the application for online banking sites, among others. Java applets will again be disabled automatically if no applets are run for an “extended period of time,” Apple said.
The update fulfills a pledge Cupertino made the previous week to issue a fix for the notorious, and history-making, Flashback Trojan, which has run rampant on users Macs over the last two months, infecting at one time more than 600,000 machines.
Microsoft Issues Critical Fixes In April Patch Tuesday: Last week, Microsoft fixed 11 vulnerabilities with six patches—four of which were given the highest severity ranking of “critical”—included in its April Patch Tuesday security bulletin. Altogether, the patch repaired gaping security holes in Internet Explorer, Windows, .Net framework, Forefront Unified Access Gateway, Windows Common Controls and Microsoft Office.
For users who absolutely needed to prioritize the patches, Microsoft recommended first deploying the comprehensive fix for Internet Explorer, which plugged a total of five security holes, the most severe of which could enable remote code execution if an attacker lured victims to a malicious Web page or enticed them to open an infected link running on IE. Microsoft also advised users to administer the critical update for Windows Common Controls, which repairs a vulnerability that could also plague users with malware if they were to visit an infected Website, click on an infected link delivered over e-mail or Instant Messenger, or open an infected attachment, typically through some kind of social engineering scheme.
Microsoft also informed its users that it planned to discontinue support for its XP platform by 2014. In recent years the aging OS has become more vulnerable and has been the target of a slew of zero-day attacks.