Newsletter Archives

  • New third party program updates

    Randy the Tech Professor has a list of the latest versions of important programs that you may be running:

    Chrome, Java, Opera, Foxit, Skype, Flash Player, Acrobat Reader.

    Here’s Randy’s listing.

  • 0day attack in Adobe Reader – again

    Yet another 0day PDF attack is making the rounds. If you open an infected PDF file, and you’re using Adobe Acrobat Reader, your PC can get taken over.

    Adobe confirms that 0day, but doesn’t offer much help. SANS Internet Storm Center is following the outbreak in real time.

    The sky isn’t falling, but you shouldn’t open a PDF file attached to an inbound email message unless you’ve written to the sender and confirmed that they intended to send you a PDF. Even then you shouldn’t open it unless you trust the sender to be savvy enough to not be spreading around infected files.

    No word yet on whether Foxit is similarly afflicted. (Many of you know that I don’t put Adobe Reader on my machines; I only use Foxit.)

  • Ten bulletins, 31 patches, a million potential problems

    There’s a huge crop of patches waiting for you, covering 31 separate vulnerabilities, and I dunno-how-many different downloads.

    As usual, the best overview is at the SANS Internet Storm Center.

    Bottom line (tell me if you’ve heard this one before): don’t use Internet Explorer. Apparently none of the bad problems (except the ones in IE) have exploits that you need to worry about. Don’t apply any patches until the screams have subsided.

    We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    Oh. Don’t forget to patch Acrobat Reader, if you have it. Adobe just fixed 13 security holes in Reader. You could take advantage of the unease you’re feeling right now and install Foxit reader, which works just fine most of the time and has a significantly better track record for fixing security holes.

    An interesting note: several of you have asked how Microsoft and industry pundits count the number of bugs: Gregg Keizer at ComputerWorld reports, for example, that this monster set of patches fixes 31 security holes – a record, by his estimation. Brian Krebs at the Washington Post echoes the statement. Brian credits Symantec.

    All of these people are counting the number of CVEs that Microsoft claims to fix in the security bulletins. CVEs are “Common Vulnerabilities and Exposures” listed and maintained by the MITRE organization, which is an independent non-profit originally associated with MIT. Each CVE number corresponds to one or more identified security holes. While the CVE count is a better indicator of how many holes have been patched than the number of security bulletins, it frequently doesn’t differentiate between different versions of programs, and other subtleties.