It’s Tuesday, Time To Download Microsoft Patches

And this Tuesday, there’s an extra big heapin’ helpin’ of downloadin’ fun!

Microsoft Issues Huge Patch Tuesday Fix for Windows, IE

Microsoft today released a batch of 17 security updates for a Patch Tuesday that cover 64 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Visual Studio, .NET Framework and GDI+.

Nine of the bugs are rated critical, while eight are important. One of the “important” bulletins includes 30 vulnerabilities in one bug, MS11-034, and they all share the same couple of root causes, Microsoft said.

Microsoft identified three vulnerabilities as its top priority bulletins for the month: MS11-020, which resolves a problem with Windows that could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system; MS11-019, another Windows bug that could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request; and MS11-018, which could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

See also:
Microsoft Security Bulletin Summary for April 2011
Tackling the Massive Microsoft Patch Tuesday
Microsoft fixes IE, SMB bugs in big Patch Tuesday
Researcher confirms kernel bugs will dominate Patch Tuesday
Microsoft Smashes Patch Tuesday Record With Massive Update
Another Microsoft Patch Tuesday, 64 New Flaws To Fix
Microsoft Pushes Giant Security Patch
Microsoft delivers monster security update for Windows, IE
Microsoft Releases Torrent of Security Updates
Windows Update

It’s another record! Will Windows software ever be fully patched?

/probably not, so see ya next time, and have a good time downloading, this one takes quite a while!

Advertisements

If It’s Thursday, It Must Be Time To Patch Flash

If you watch YouTube videos or read PDF files, you’re gonna want to pay attention.

After attacks, Adobe fixes Flash bug

Less than a week after fielding reports that hackers were targeting a bug in its Flash Player software, Adobe Systems has rushed out a fix for the problem.

Adobe’s new 10.1 Flash update, released Thursday, fixed a bug that was first spotted via a small number of targeted attacks late last week.

According to Symantec, these Flash attacks are still not widespread, but users should update their Flash software as soon as possible. “We have been seeing a small but steady rise in detections of related malicious PDFs and we expect to continue to see these numbers increase over the coming hours and days,” the security vendor said in a statement.

Criminals have been exploiting the flaw using malicious Flash swf files, which are typically opened by the Web browser’s Flash Player plugin, or via PDFs that have maliciously encoded Flash components embedded inside them, Adobe said Thursday. Those malicious PDFs are typically opened by Reader or Acrobat, which include their own versions of Flash Player that have not yet been patched. That fix is due June 29.

Thursday’s update includes an unusually large number of security bug-fixes, 32 in all. “It’s a huge number of bugs fixed, something along the lines of what we’d expect of Apple,” said Andrew Storms, director of security operations with nCircle Network Security.

Adobe’s Flash and Reader software have emerged as prime hacking targets in the past year, and the company is toying with the idea of releasing more frequent security updates to keep pace.

See also:
Adobe Flash Player version 10.1
Exploit for new Flash vulnerability spreading fast
Adobe releases Flash 10.1 and patch bundle
Adobe Issues Massive Flash Security Update
Adobe plugs 32 security holes in ‘critical’ Flash Player patch
Adobe Issues Security Patch
Adobe Flash Player 10.1 released for Windows, Mac, Linux
Adobe debuts What Jobs Hates™ v10.1
Adobe Releases Flash Player 10.1, AIR 2
Adobe releases Flash Player 10.1 for Mac
Adobe Reader 9.3
Adobe Systems

Be careful, the Flash update tries to install Google Toolbar by default. So, unless you want Google Toolbar, make sure you uncheck the box for Google Toolbar before you hit the install button. If Google Toolbar gets mistakenly installed, you can always uninstall it using Control Panel/Add or Remove Programs.

/damn, I hate it when software vendors try and tack on unrelated, third party software by default to the software download you actually want to install

What The Hell Happened?

It’s been over 24 hours now and still no one has any idea as to what caused Thursday’s bogus market plunge. Needless to say, that’s not good.

Yesterday’s market swerve: fat fingers, glitch, or cyber-warfare?

Theories about yesterday’s stock market swoon, where within a matter of 20 minutes, the stock market plunged by 1,000 points and then nearly completely recovered, are abounding. Fortune asked Rishi Narang, founder of the hedge fund Telesis Capital and author of Inside the Black Box, to share the theories he’s heard and handicap them in terms of likelihood and plausibility.

Narang, who uses high-frequency trading techniques, explains why high-frequency traders got out of the market during the dive, and why the catalyst for the drop is far more important to understand than the drop itself:

What happened yesterday?

There are two points to understand. First, what catalyzed the activity? What was the reason for the market wanting to fall? It might be that the catalyst was of such size that it overwhelmed all other factors. There are three plausible theories:

1) The fat finger. Plausible, but unlikely. Typing in billions with a “b” versus millions with an “m” seems impossible. Trading systems don’t work that way. More likely, the trading system accepts the sell/buy amount in thousands. Some trader in the heat of the moment forgets it’s in thousands, types in an order for 16,000,000 instead of 16,000. That kind of thing seems far more plausible.

But even then: why on Earth would the trading entry system not have a sanity check? For almost no one in the world is a $16 billion sell order okay to send out as soon as it’s entered. The trader should be fired, along with everyone in the IT department. If this happened, most likely, it was something along those lines. If it wasn’t all one order, maybe it was meant to sell just $1 billion shares but was sent 3 or 5 times instead of once.

2) Software error. Plausible, likely, but doesn’t fit the facts. Here, the trading software is in a recursive loop, pounding out sell orders due to a bug somewhere in the software. In a sense, this is more plausible, more likely, but doesn’t seem to fit the facts well enough.

The speed of the decline in the market just doesn’t seem to fit — should be a series of small orders, not a series of large orders. In 7 minutes we saw a 580-point drop. That doesn’t look like a recursive loop. But there is a lot of software, and somewhere a bug is bound to exist. You can easily imagine a software glitch happening. Things go buggy. Like the Toyota [accelerator] problem, at heart a software problem. Technology is a two-edged sword, and this is the other edge of the sword. We rely on software, but it’s not always written well enough.

3) Computer hacking. Implausible without proof, but possible. This is the most interesting theory because we know terrorists are interested in cyberterrorism. We know they would target the financial markets. We know a great day to launch an attack would be one with a mild bit of panic [due to the Greek crisis and sovereign debt downgrades].

Some other really crazy things happened with stocks, like Accenture and Exelon. [Both stocks traded for one cent for short periods of time.] Two parties really transacted on these trades [at one cent], even though they were later busted and cancelled. If it was just high-frequency traders bailing out, why wouldn’t [that drop] happen on every stock? It just doesn’t add up. Things are too idiosyncratic and that feels uncomfortable. This also happened in the options markets, but again, only on a handful of options.

And the second point to understand?

That’s the question of the enabler. What, if anything perpetuated the selloff? And did so in seconds? There’s a lot of speculation about high-frequency traders vanishing from the marketplace.

The consensus is that high-frequency guys didn’t provide the liquidity and that’s what allowed for prices like one penny on Accenture. I do know for sure that high-frequency traders backed off, but old school market makers would’ve done the same thing, in a little bit different way. They just would’ve created super-wide market spreads. Same thing.

We shouldn’t be so sanguine about taxes and impediments to high-frequency trading if we are upset when high-frequency traders leave the market. Those are incompatible ideas.

As a side point: traders have stop loss levels; one big move triggers other moves. There are systematic, discretionary, and plain-old panic trades.

But for all of those styles and programs, once they see the stock market fall 6%, a liquidation effect takes hold. That’s just a function of people. Someone screams fire, and if enough people start running, everyone will. Those are the dynamics of computer software, people, animals, fires, whatever. It’s how we work. That kind of stampeding effect could easily be part of the response.

But the speed of the market falling down, going back up, and partway back down again? If this was really a stampede, why not repeat the 1987 crash [which kept going]? Nothing ‘stopped’ this crash except that the catalyst seemed to have ended.

If it was an error or a software bug, it stopped. If it was a hack, the hackers left. In other words, the enabling side of this drop is totally irrelevant [to the catalyst]. The only interesting thing here is the catalyst. If this was a gas pedal that was stuck, it would’ve looked differently, kept going.

Whether this was intentional or unintentional, it happened all at once. If it was an intentional [attack], then the question is, was it a demonstration, a test, or the attack itself? Whatever it was, we didn’t stop it. It stopped itself.

See also:
Regulators Are Stumped by Drop
NYSE, Nasdaq bicker over stock-market drop
Plunge highlights fragmented markets, fast traders
Stock Market Crash? Or Trading Error?
Theories abound about how the 1,000 point Dow drop occurred
UPDATE: Everyone Seeks Answers Behind Stock Market’s Rout
Programs, NYSE Circuit Breakers Contribute To Market Plunge
Nasdaq cancels the trade of 296 stocks after Thursday’s Wall Street stock market crash
SEC reviewing Thursday’s sudden stock market drop
SEC Said to Outline Possible Causes of Market Plunge (Update1)
House panel to hold stock market inquiry

All I can say is that the investigators at the SEC had better get off their asses, take a break from their prodigious porn surfing, and get to the bottom of what exactly caused Thursday’s bogus market plunge. And they had better come up with a definitive answer quickly.

/the ongoing inability of exchange operators and regulators to pinpoint the problem is beginning to shake market confidence even more than the bogus plunge itself