If It’s Thursday, It Must Be Time To Patch Flash

If you watch YouTube videos or read PDF files, you’re gonna want to pay attention.

After attacks, Adobe fixes Flash bug

Less than a week after fielding reports that hackers were targeting a bug in its Flash Player software, Adobe Systems has rushed out a fix for the problem.

Adobe’s new 10.1 Flash update, released Thursday, fixed a bug that was first spotted via a small number of targeted attacks late last week.

According to Symantec, these Flash attacks are still not widespread, but users should update their Flash software as soon as possible. “We have been seeing a small but steady rise in detections of related malicious PDFs and we expect to continue to see these numbers increase over the coming hours and days,” the security vendor said in a statement.

Criminals have been exploiting the flaw using malicious Flash swf files, which are typically opened by the Web browser’s Flash Player plugin, or via PDFs that have maliciously encoded Flash components embedded inside them, Adobe said Thursday. Those malicious PDFs are typically opened by Reader or Acrobat, which include their own versions of Flash Player that have not yet been patched. That fix is due June 29.

Thursday’s update includes an unusually large number of security bug-fixes, 32 in all. “It’s a huge number of bugs fixed, something along the lines of what we’d expect of Apple,” said Andrew Storms, director of security operations with nCircle Network Security.

Adobe’s Flash and Reader software have emerged as prime hacking targets in the past year, and the company is toying with the idea of releasing more frequent security updates to keep pace.

See also:
Adobe Flash Player version 10.1
Exploit for new Flash vulnerability spreading fast
Adobe releases Flash 10.1 and patch bundle
Adobe Issues Massive Flash Security Update
Adobe plugs 32 security holes in ‘critical’ Flash Player patch
Adobe Issues Security Patch
Adobe Flash Player 10.1 released for Windows, Mac, Linux
Adobe debuts What Jobs Hates™ v10.1
Adobe Releases Flash Player 10.1, AIR 2
Adobe releases Flash Player 10.1 for Mac
Adobe Reader 9.3
Adobe Systems

Be careful, the Flash update tries to install Google Toolbar by default. So, unless you want Google Toolbar, make sure you uncheck the box for Google Toolbar before you hit the install button. If Google Toolbar gets mistakenly installed, you can always uninstall it using Control Panel/Add or Remove Programs.

/damn, I hate it when software vendors try and tack on unrelated, third party software by default to the software download you actually want to install

The Chinese Are Dying To Make Your IPad

Welcome to China, where life is cheap and they literally work their labor to death to produce goods for Western consumption.

No respite for troubled Foxconn after fresh suicide bid

THE TRAGIC saga of young people taking their own lives at the Foxconn electronics factory goes on, after a 25-year-old employee surnamed Chen tried to kill himself by slashing his wrists.

The Hunan native, who had been working at Foxconn since March, received medical attention in time to save his life.

Mr Chen’s attempted suicide came after a 23-year-old migrant worker from the far western province of Gansu died after jumping from the seventh-floor balcony of his dormitory, according to the official Xinhua News Agency.

The tragic events are making people thinking about the real cost of their iPads, laptops and mobile phones.

There have been 10 deaths out of 13 suicide attempts at the plant, which employs over 300,000 people, since January, and Foxconn’s main clients, fearful of the fallout from the suicide crisis, are asking why this is happening.

Both Dell and Hewlett-Packard have said they were looking into conditions at Foxconn, one day after Apple said it was upset by the deaths and was also investigating the situation.

Apple said it is “deeply committed to ensuring that conditions throughout our supply chain are safe and workers are treated with respect and dignity.” The suicide crisis worsened just hours after chief executive Terry Guo personally showed journalists around the plant in a bid to repair the company’s image, which has been badly hit by the wave of suicides.

See also:
13th Foxconn worker reportedly attempts suicide
Still more Foxconn jumpers, including a double suicide?
The Foxconn Suicides
Tenth apparent suicide at Foxconn iPhone factory in China
Two more suicide bids at Apple factory
Foxconn suicide sparks China probe
IPhones and suicides
Foxconn woes have U.S. ripple effects
Another Suicide Hits Foxconn
Foxconn sees 12th Jumper and 10th suicide
The Underside of Apple’s Chinese Manufacturing
Foxconn Technology Group
Foxconn

As much as we enjoy our cheap consumer electronics, it seems that the Chinese laborers inversely don’t enjoy assembling them. Are the cost savings worth the lives lost and the human misery inflicted?

/tolerable Chinese labor conditions, is there an app for that?

Patchapalooza Tuesday

It’s a triple witching day for computer patches.

Microsoft, Adobe, and Oracle Patch Nearly 100 Vulnerabilities

It’s a busy day for IT administrators and information security professionals. Not only is today Microsoft’s Patch Tuesday for the month of April, it is also the day of Adobe’s quarterly security updates. In total, there are 40 vulnerabilities being addressed today–many of them rated as critical and exposing systems to potential remote exploits.

Microsoft Patch Tuesday

A Microsoft spokesperson e-mailed the following “Today, as part of its routine monthly security update cycle, Microsoft is releasing 11 security bulletins to address 25 vulnerabilities: five rated Critical, five rated Important and one rated Moderate. This month’s release affects Windows, Microsoft Office, and Microsoft Exchange. Additionally, the Malicious Software Removal Tool (MSRT) was updated to include Win32/Magania.”

Qualys CTO Wolfgang Kandek noted in his blog post “Microsoft’s patch release for April contains 11 bulletins covering 25 vulnerabilities. The bulletins address a wide array of operating systems and software packages, IT administrators with a good inventory of their installed base will have an easier time to evaluating which machines need patches.”

“The critical Microsoft WinVerifyTrust signature validation vulnerability can be used to really enhance social engineering efforts,” said Joshua Talbot, security intelligence manager, Symantec Security Response in an e-mailed statement. “Targeted attacks are popular and since social engineering plays such a large role in them, plan on seeing exploits developed for this vulnerability.”

Talbot continued “It allows an attacker to fool Windows into thinking that a malicious program was created by a legitimate vendor. If a user begins to download an application and they see the Windows’ notification telling them who created it, they might think twice before proceeding if it’s from an unfamiliar source. This vulnerability allows an attacker to force Windows to report to the user that the application was created by any vendor the attacker chooses to impersonate.”

Andrew Storms, director of security operations for nCircle offered this analysis “More movies and more malware: that’s what we’ve got to look forward to on the Internet. Microsoft is patching critical bugs in Windows Media Player and Direct Show this month–both of these bugs lend themselves to online video malware. If you put these fixes together with Apple’s recent patch of Quicktime, it’s pretty obvious that attackers are finding a lot of victims through video.”

nCircle’s Tyler Reguly points out that there is also a greater message to be learned from the patches. “As an avid Windows XP user, I’m leaning more and more towards making the jump to Windows 7; with the added security it just makes sense. Looking at the top two vulnerabilities (MS10-027 and MS10-026), my Windows XP systems are vulnerable to both, yet my Windows 7 laptop isn’t affected by either of them. The newer operating system just makes sense.”

Adobe Quarterly Update

As if eleven security bulletins fixing 25 different vulnerabilities wasn’t enough, IT administrators must also address the critical updates released today from Adobe. nCircle’s Storms points out that “Every one of the 15 bugs can be used for remote code execution. Given the increase in the number of attacks that use Adobe PDF files, all users are strongly urged to upgrade immediately.”

Storms added “In stark contrast to Microsoft’s patch process, Adobe’s security bulletin information lacks details, especially critical information about potential workarounds. For enterprises that have a long test cycle, it can take weeks or even months to roll out updates. With no workaround information, Adobe leaves their enterprise customers vulnerable and security teams everywhere frustrated and annoyed.”

Andrew Brandt, lead threat research analyst with Webroot, warns “What’s more, they should be aware that Foxit Reader–which also reads PDFs–is actually more vulnerable.”

It is also worth noting that Adobe has rolled out its new update system which it has been beta testing over the past couple of months. Users can now configure Adobe software to automatically install updates, enabling security patches to be applied without requiring any user intervention.

Don’t Forget Oracle

Wait, there’s more! Not wanting to be left out of the patch day festivities, Oracle has also unleashed its own deluge of updates–more than Microsoft and Adobe combined.

There is a little bit of good news, though. Very few organizations will actually be impacted by every single one of the disclosed vulnerabilities. Qualys’ Kandek points out “This is a big release for Microsoft, addressing a wide selection of software. IT administrators probably will not have all of the included software packages and configurations installed in their environment and therefore will need to install only a subset of the 11 bulletins.”

The same logic holds true for Oracle and, to a lesser extent Adobe–although Adobe Reader is fairly ubiquitous. Have fun!

See also:
Microsoft, Adobe, Oracle offer fixes in big Patch Tuesday
Patch Tuesday: Microsoft safeguards video, Adobe secures PDFs
Microsoft Patch Tuesday Fixes 5 Critical Flaws
Microsoft Targets Media Flaws In April Patches
Microsoft blocks ‘movies-to-malware’ attacks
Microsoft Releases Multiple Updates; Vista SP0 Support Ends
Microsoft Security Bulletin Summary for April 2010
New Adobe Auto-Updater Debuts On Super (Patch) Tuesday
Adobe Patches Acrobat/Reader Vulnerabilities, Updates on Updating
Security update available for Adobe Reader and Acrobat

/so, you know the drill people, get busy downloading those patches, hope you’re not on dial up!

Pardon Me While I Cringe

Just in case you ever wondered why Apple has always enjoyed that “cool kid” aura compared to Microsoft, well, here’s why.

Microsoft employees assault customers (with a dance)

Spontaneity doesn’t come naturally to everyone. Neither is it welcomed by everyone.

So please imagine how those who visited the new Microsoft store in Mission Viejo, Calif., a few days back must have felt when store employees suddenly decided to drop their trousers, wave their Zunes in the air, and sing a couple of Maria Callas’ greatest hits.

No, it really wasn’t quite like that. However, I feel sure that one or two people might have preferred the trouser-dropping and Zune-waving over the spectacle that actually occurred.

As the Black Eyed Peas were forced to propel some of their entirely commercial stimulation down the sound system, the employees performed their own version of the line dance for the one-legged. Because I am consumer-focused at every moment of my waking day, I found myself concentrating more on the reactions of the customers than on the techniques Spike Jonze might have used to make this an MTV VMA winner.

As the employees line up for this troubling, tourettesy Texas One-Step, one already feels a strange squeezing sensation on behalf of some of the customers.

Around the 1.15 mark, a little girl, her hair ponytailed with a yellow scrunchy, makes as if her vicinity has not been invaded by dancing, clapping, or stray employee sweat. She sits. She stares into her screen. The adults make fools of themselves.

Yes, this is the Microsoft store version of “The Ice Storm.”

Two minutes of constricting visual constipation are temporarily saved by three ladies who rush in from the mall to join in. These women, their purses held in place by a determined gravity, begin to show the employees just why Fergie’s tunes are precursors to a fiery personal life.

Look, I’m lying. But they are definitely better than the tall, blond string bean of a chap whose twisted movements are rather too similar those of certain people who bought Vista and couldn’t make it work.

I want to like this microcosmic flash mob of dance. I really do. However, once the balding chap holding the Brookstone bag joins the shifting knee-lifting, I find myself searching again for the little ponytailed girl staring into a very fine PC. She has not turned her neck one degree to observe these escapees from reality. She seems to have decided that this is not Miley Cyrus, this is not even Cyrus Vance, ergo this is not happening.

But it did happen, spontaneously, in Mission Viejo. That’s the place where the mission is old, right?

See also:
Hey, Microsoft: Please Stop Trying So Hard
Microsoft Dances Its Way Into Shoppers’ Hearts
Lines Of Code? No, Line Dancing, Microsoft Style
I never want to visit a Microsoft Store after seeing this
Microsoft Reduces Store Employees to Dancing Fools
Microsoft Store Employees Cruelly Forced To Dance For The Internet
Microsoft Retail Store Employees Break Out Into Dance And It’s Really Creepy

Of course, this latest Microsoft dancing debacle doesn’t hold a creepiness candle to the all time cringe classic.

/pass the knitting needles, my eyes and ears hurt