Saturday, January 06, 2007

This Week (In)Security

With respect to (IN)SECURE magazine....

I've been overwhelmed at work...lot's going on, so I haven't had the time to focus quite the degree I normally do at tracking end-user desktop security vulnerabilities.

However, my RSS feeds from security sites and blogs have been smoking this week.

Just a sample

CyberNet news posted a great summary of a Washington Post review of browser vulnerabilities. The comparison was between Internet Explorer (IE6) and Firefox. Both had serious flaws, but the bottom line is that the time to patch was significantly shorter for Firefox than for Internet Explorer.

Internet Explorer 7 seems to be doing much better, but is only available for XP and Vista systems. and now, a new (minor) flaw in the browser's security has been revealed. Luckily a workaround exists, see the link for details.

Case (in)Security Hype: Adobe Acrobat Flaw

Recently, the news was all abuzz about a nasty Adobe Acrobat flaw that seemed to open a wide hole for hackers and thieves to use to pour into your system: When PDFs Attack!, Vulnerability in Adobe Acrobat Reader, Adobe Flaw Means Trusted PDFs May Be Treacherous - Technology News by TechWeb, Adobe vulnerability - Google News. It was even being spun in a way that made it look (to some) like a Firefox hole! Egad's!

Well, fortunately the good folks at BetaNews did a more balanced examination of the issue and came to the following conclusion: all browsers were susceptible to the vector, it has nothing to do with AJAX, the flaw has been around for a while and is a variant of the "cross-site scripting" attack method, Adobe appears to be working on the issue and have offered a patch for the previously known version of the issue for it's Adobe Reader v7, and completely fixed in in the new Adobe Reader v8 version (which I actually like way better than v7).

Oh yeah...if you want to be really clever (and secure), just set your browser's settings to not use Adobe Reader as the default launcher for PDF documents! Use something like Foxit Reader instead.

Hype 2 - Reasonable Reporting 1

Non-Tech Related (In)Security Goofiness

Sorry, I just couldn't pass these up...form your own opinions...

Schneier on Security: Monkeys, Snowglobes, and the TSA

Schneier on Security: Licensing Boaters (as in the operators--not the boats) Will riders of horses be far behind?


No comments: