The perils of patching in the cloud

Cloud computing is supposed to be the way to go, right? When there’s a new version of a program, there’s no need to patch a hundred million PCs, you only have to patch one copy of the app, up there in the cloud, right?

Wrong.

Adobe’s in a patching mood, too

As if we didn’t have our hands full with a record number of Microsoft Security Bulletins, Adobe’s gotten its patching into high gear.

The Adobe Flash patch is something to be concerned about – it covers six separately identified security holes in Flash. I’ll be watching it closely over the next few days, and advise you when it’s safe to patch.

The anticipated massive mess of patches

Microsoft’s mess of patches is out. For now, I don’t see any reason to pull a chicken little and install any of ‘em. There’s yet another huge Internet Explorer update, plus (you’ll be happy to hear) yet another .NET patch.

Details on the SANS Internet Storm Center.

We’re still at MS-DEFCON 2. Let the pioneers get the arrows in their backs. None of the major holes are being exploited right now. Keep your cool.

MS-DEFCON 2: Lock ‘em down

With fourteen Security Bulletins around the corner, now’s a VERY good time to check and make sure you have automatic updates turned off. Follow the instructions in any of my books to turn it off, and wait for the all-clear.

It’s going to be a bloody Tuesday.

I’m moving to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

P .NE. NP proof?

If you don’t understand the heading, don’t bother.

One of the great unsolved propositions in Computer Science, known as “P equals NP,” may have been solved. Vinay Deolalikar at HP labs claims on his site:

P is not equal to NP. 6th August, 2010 (66 pages 10pt, 102 pages 12pt). Manuscript sent on 6th August to several leading researchers in various areas. Confirmations began arriving 8th August early morning. Final version of the paper to be posted here shortly. Stay tuned.

It might be a hoax, and the proof may have holes, but it seems by all accounts to be a genuine attempt at a proof, from someone who certainly knows his stuff.

The first draft of the paper is on Scribd.

For a layman’s description of P = NP, see the Wikipedia article.

New Windows 0day in CreateDIBPalette()

I’ve seen several reports of a new 0day hole in Windows, which seems to affect all versions from XP SP3 to Win7.

Original posting is by someone who calls him(her?)self Arkon.

Best overview I’ve seen is on Secunia’s site.

No CVE number as yet, and it hasn’t appeared on SANS ISC, but this sounds like the genuine article.

Stay tuned….

Oy gevalt! 14 security bulletings coming

It’s a record – and not a good one.

MS advises that it has 14 security bulletins, patching 34 separately identified security holes, coming on August’s Black Tuesday.

Get patched up now, OK? Heaven only knows when the coast will be clear again…

MS-DEFCON 4: Get patched now

The July Black Tuesday patches have come and gone, and they’re not too bad.

Now’s a good time to get patched up. I recommend that you apply all outstanding Microsoft patches, then make sure you have Automatic Update turned off in anticipation of next week’s onslaught.

Those of you with Windows XP Service Pack 2 or Windows 2000, or if you use ESET NOD32 antivirus, please note the blog entry below. You’ve got some interesting times ahead.

I’m moving us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

UPDATE: Sorry, I should’ve made it more clear. Yes, I’m recommending that you go ahead, throw up your hands and give in to the offered .NET patches. I don’t think there’s any chance MS is going to fix any of them from this point – so patch ‘em and brace yourself for the next round.