The holidays are over as administrators have to contend with two big patch releases from Microsoft and Adobe on their growing to-do list, and Oracle is promising a giant CPU next week.
Software patches dominated
the week with Adobe's scheduling its quarterly update for Reader and Acrobat software
while Microsoft delivered its Patch Tuesday updates for January. Oracle also
released the preview for its quarterly Critical Patch Update for next week.
Microsoft released seven
bulletins addressing eight security vulnerabilities in January's Patch Tuesday
, but only one was rated "critical." The
two highest-priority bulletins fixed issues in Windows Media Player and in the
.NET packager. An email attachment or a file hosted on a Website, could launch
a drive-by-attack by exploiting the Windows Media Player vulnerability.
Attackers could trick users
to open a maliciously crafted Office document to exploit the .NET flaw.
Adobe also updated
its Reader and Acrobat
software on both the Mac OS X and Windows platforms.
With this update, the zero-day vulnerabilities in the software's 3D rendering
technology are now patched in all versions of the software. Adobe Reader and
Acrobat 9 for Windows were patched in December. But Reader and Acrobat 9 for
Mac OS X and Reader and Acrobat X for both platforms were fixed in this
Adobe also added a
trusted documents. Considering most PDF-based attacks use embedded malicious
would help reduce the attack surface.
Despite plans to address 78
is downright skimpy on the database front, with only two
fixes for Oracle Database Server. Nearly half of the fixes will be in MySQL and
the Sun product suite, but Oracle's continued lack of focus on its flagship
database software remains puzzling.
Separately, Oracle released
a new version of its database firewall with features designed to help administrators
block SQL injection attacks and malicious insiders from gaining unauthorized
access to data. Oracle
also now supports MySQL and the open-source database
software joins the ranks of Oracle Database 11g and earlier versions, IBM DB2,
Microsoft SQL Server, Sybase Adaptive Server Enterprise and Sybase SQL
Strategic Forecasting finally relaunched its Website
this week. It had been off-line since
Christmas Eve after unidentified attackers defaced the site, damaged servers
and stole emails. Stratfor's CEO George Friedman apologized in a letter to
subscribers for the breach and the mistakes the company had made. "This
was our failure. I take responsibility," Friedman wrote. In the same
letter, he lashed out at the attackers, and accused them of trying to censor
Stratfor and of being ignorant of about the company's mission.
During the Infiltrate
Security Conference in Miami this week, two security researchers disclosed a security flaw in Research In Motion's PlayBook tablet
that makes it
possible for attackers to tap into a connection made between the tablet and
handheld devices. Attackers could locate and acquire the authentication token
for BlackBerry Bridge, which uses Bluetooth technology to "pair" two
devices and access sensitive information, according to the report. RIM said the
issue has already been resolved with the BlackBerry PlayBook OS 2.0 update
expected in February.
The week ended with
Microsoft looking back at its Trustworthy Computing initiative
, which was launched Jan. 15, 2002, when
Microsoft's then CEO Bill Gates issued a memo to every employee that the
company was going to take a step back and focus on security. Under the new TwC,
when given a choice between adding features and resolving security issues, the
company would "choose security," Gates wrote 10 years ago.
Since then, company has made
tremendous strides in strengthening its products, working with the security
community and developing mitigation technologies that are used by other vendors
to secure their own products. According to the company, Microsoft will continue
its focus on privacy, the role of government in controlling cyber-attacks, and security
for mobile devices and cloud computing in the next 10 years.