Apple Issues Updated Security Fix. Apple released another version of the security patch it distributed on March 13 to users of its OS X operating system software, in order to address a problem reported with the update. The company said it distributed the new patch, dubbed Update 2006-002 v1.1, in order to fix an issue with Apple’s Safari Web browser that some users observed after installing its 2006-002 security update. According to a post on the company’s Web site, the previous update had caused some Safari users to have problems launching the browser. [OSNews]
Archive | Security
Security is not a feature; it’s a process. Notes on issues, patches and essays on security.
Flash vulnerability
Computerworld News reports Adobe fixes critical Flash vulnerabilities. “Adobe Systems Inc. [who bought Macromedia last year — Ted] has patched a number of critical vulnerabilities in its Flash media player that could be used by attackers to take over an affected system.”
Get patching! Details at http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html
McAfee quarantines files incorrectly
From Slashdot: McAfee Anti-Virus Causes Widespread File Damage. AJ Mexico writes, “[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems. At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files.” An anonymous reader added, “Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups… or?) or System restore.”
News.com: McAfee update exterminates Excel
Diebold gets the boot from Maryland’s elections
Computerworld News reports Maryland House votes to oust Diebold machines. “Maryland’s House of Delegates voted 137-0 to replace the state’s Diebold voting machines, valued at $90 million, until the manufacturer adds the ability to create a paper trail of votes.” Good. Send a clear message to vendors: closed-source, unauditable vote counting is unacceptable.
Patch Tuesday coming with few patches
Computerworld News reports Microsoft to issue one critical patch Tuesday. “In its monthly patch release next Tuesday, Microsoft Corp. said it will issue one critical security bulletin concerning the Office suite and one bulletin on Windows that is rated important.”
Later on in the article, they explain, “Microsoft will distribute its updated version of the Windows Malicious Software Removal Tool via Windows Update, Microsoft Update, Windows Server Update Services and the Download Center… There will also be one non-security High-Priority Update on Microsoft Update and Windows Server Update Services. There won’t be any non-security High-Priority Updates for Windows coming over Windows Update or Software Update Services.” Well, that certainly clears things up.
IE and FireFox both the least secure. And the most.
Computerworld News reports After flap, Symantec adjusts browser bug count. “A report issued today by Symantec Corp. features two different ways of counting browser bugs: one that finds IE has the most vulnerabilities, another that indicates Firefox is the bug-leader.”
So, there! That ought to settle the issue once and for all. Lies, damned lies, statistics and bug counts.
Stealing Your Biometrics
InfoWorld: Top News is reporting Researcher hacks Microsoft Fingerprint Reader.
(InfoWorld) – “Never mind worrying about hackers stealing your password. A security researcher with the Finnish military has shown how they could steal your fingerprint, by taking advantage of an omission in Microsoft’s Fingerprint Reader, a PC authentication device that Microsoft has been shipping since September 2004.”
When you lose your password, you can get it reset. When your credit card shows suspicious activity, you can get a new and different one. What happens when your fingerprints are stolen?
MonadLUG 9 March: Bill Stearns and ssh
Guy Pardoe, MonadLUG Coordinator, announces their March 9th meeting:
The next meeting of the Monadnock Linux User Group (MonadLUG) will be Thursday, March 9th, 7:00pm, at the SAU 1 Superintendent’s Office behind South Meadow School in Peterborough.
SSH Operations and Techniques – Bill Stearns
SSH is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It is a replacement for rlogin, rsh, rcp, and rdist. It protects a network from attacks such as IP spoofing, IP source routing, and DNS spoofing.
*****************
Directions: The SAU 1 Superintendant of Schools office is directly behind the South Meadow School. From downtown Peterborough, travel north on route 202 approximately 2 & 1/2 miles. Look for a white sign on the left “SAU 1 Superintendant of Schools Office.” The entrance is on the left, just before South Meadow school, and across the street from Sims Press. Follow the drive up towards dumpsters where there is ample parking. Come down the stairs to the set of doors on your right. Enter thru double set of doors and turn left…straight into the board room.
Or check the link to Google maps to see our location:
http://wiki.gnhlug.org/twiki2/bin/view/Www/OurChapters#monadlug
OS X Monthly Security Updates
The SANS Institute Internet Storm Center points out Apple’s Monthly OS X Security Patch with goodies for everyone, including patches that address recent Safari issues and the flaw in Launch Services that allowed “safe” file types to launch unsafe executables. Get patching!
Apple ships new Mac Minis
OSNews points to two articles that juxtapose in a Point-CounterPoint fashion. What I read: in the first piece, the author is desperately trying to prove that Windows sucks less than before. Bugs are fixed. Bad driver models replaced. Security is tightened. This is incremental improvement, laudable, expected, but not compelling, and not worth the cost of the update, nor the incredibly long wait. Microsoft themselves have admitted that Vista sales will come through the purchase of new machines, not upgrades. This isn’t market choice, it’s monopolistic behavior.
The second article argues that Vista is a mess, and I agree. It’s not an operating system, it’s a software bundle that includes yet another incompatible operating system kernel, a new GUI engine and interface, and new half-apps (bundled applications with the good features removed).
It’s funny. In some ways, I see a parallel between Microsoft shipping this huge bunch of stuff (Media Players, backup software, networking, GUI, web browser, game subsystem, kernel) and cable TV providers shipping bundles of cable channels. Each insists it would be too hard or expensive to unbundle and provide the customer with a la carte choice. Each backs this up with some pretty questionable claims.
It’s about choice.
Why Windows Vista Won’t Suck. “There’s a lot of confusion about Windows Vista these days. Many online discussion forums have a great number of users who express no desire to upgrade to Vista. Sure, we’ve all seen the screenshots and maybe a video or two of Vista in action, but for many it only seems like new tricks for an old dog. Yeah, it’s got some fancy 3D effects in the interface, but OS X has been doing that for years now, and it’s still Windows underneath, right? The sentiment seems to be that Vista is another Windows ME. Perhaps part of the problem is that people just don’t know what Vista has in store for them.”
Also from OSNews, Why Windows Needs to Go Back to Basics. “Once upon a time, operating systems managed the resources of computers, and that was about it. But after the PC revolution, most software makers started subscribing to the theory that bigger means better. But does it?”