Software patches dominated the week with Adobe’s scheduling its quarterly update for Reader and Acrobat software while Microsoft delivered its Patch Tuesday updates for January. Oracle also released the preview for its quarterly Critical Patch Update for next week.
Microsoft released seven bulletins addressing eight security vulnerabilities in January’s Patch Tuesday, but only one was rated “critical.” The two highest-priority bulletins fixed issues in Windows Media Player and in the .NET packager. An email attachment or a file hosted on a Website, could launch a drive-by-attack by exploiting the Windows Media Player vulnerability.
Attackers could trick users to open a maliciously crafted Office document to exploit the .NET flaw.
Adobe also updated its Reader and Acrobat software on both the Mac OS X and Windows platforms. With this update, the zero-day vulnerabilities in the software’s 3D rendering technology are now patched in all versions of the software. Adobe Reader and Acrobat 9 for Windows were patched in December. But Reader and Acrobat 9 for Mac OS X and Reader and Acrobat X for both platforms were fixed in this release.
Adobe also added a JavaScript whitelisting capability to Reader and Acrobat where administrators could disable JavaScript execution in PDF files, but enable it for a handful of trusted documents. Considering most PDF-based attacks use embedded malicious JavaScript code in one way or other, disabling JavaScript across the board would help reduce the attack surface.
Despite plans to address 78 bugs, Oracle’s gargantuan CPU is downright skimpy on the database front, with only two fixes for Oracle Database Server. Nearly half of the fixes will be in MySQL and the Sun product suite, but Oracle’s continued lack of focus on its flagship database software remains puzzling.
Separately, Oracle released a new version of its database firewall with features designed to help administrators block SQL injection attacks and malicious insiders from gaining unauthorized access to data. Oracle Database Firewall also now supports MySQL and the open-source database software joins the ranks of Oracle Database 11g and earlier versions, IBM DB2, Microsoft SQL Server, Sybase Adaptive Server Enterprise and Sybase SQL Anywhere.
Strategic Forecasting finally relaunched its Website this week. It had been off-line since Christmas Eve after unidentified attackers defaced the site, damaged servers and stole emails. Stratfor’s CEO George Friedman apologized in a letter to subscribers for the breach and the mistakes the company had made. “This was our failure. I take responsibility,” Friedman wrote. In the same letter, he lashed out at the attackers, and accused them of trying to censor Stratfor and of being ignorant of about the company’s mission.
During the Infiltrate Security Conference in Miami this week, two security researchers disclosed a security flaw in Research In Motion’s PlayBook tablet that makes it possible for attackers to tap into a connection made between the tablet and handheld devices. Attackers could locate and acquire the authentication token for BlackBerry Bridge, which uses Bluetooth technology to “pair” two devices and access sensitive information, according to the report. RIM said the issue has already been resolved with the BlackBerry PlayBook OS 2.0 update expected in February.
The week ended with Microsoft looking back at its Trustworthy Computing initiative, which was launched Jan. 15, 2002, when Microsoft’s then CEO Bill Gates issued a memo to every employee that the company was going to take a step back and focus on security. Under the new TwC, when given a choice between adding features and resolving security issues, the company would “choose security,” Gates wrote 10 years ago.
Since then, company has made tremendous strides in strengthening its products, working with the security community and developing mitigation technologies that are used by other vendors to secure their own products. According to the company, Microsoft will continue its focus on privacy, the role of government in controlling cyber-attacks, and security for mobile devices and cloud computing in the next 10 years.