Great news! Next Tuesday is already Patch Tuesday for September, but Microsoft only has a couple of relatively minor updates lined up. Don’t get too comfortable, though—you need to prepare for the changes Microsoft is making next month for cryptographic keys.
Let’s start with Patch Tuesday. September is a dramatic departure from previous months. Unlike the many months that have been loaded down with multiple Critical updates, or the fact that Internet Explorer has been updated monthly for the past few months, Microsoft only has two security bulletins scheduled for this month.
The last couple of months have each had nine new security bulletins, and the average per month through August is 7.5. Two is a manageable number that will make many IT admins very happy. Throw in the fact that both of the security bulletins are rated as Important, and that they impact software or platforms that many businesses don’t even use, and some IT admins may essentially get this Patch Tuesday off free and clear.
A hacker collective known as AntiSec has published over a million Apple device IDs that it claims were captured from the laptop of an FBI agent. If you own an iPhone or iPad, you might be wondering what this hack means to you, and you might also be curious about why the FBI had your Apple UDID in the first place.
While the group has published one million and one hacked Apple device IDs, it should be given at least a little credit for restraint. The details stolen from the FBI laptop included more personal information as well—such as full names, cell phone numbers, addresses and zip codes.
DARPA, if you didn’t know, stands for Defense Advanced Research Projects Agency. It's the government body that develops ridiculous things like flying tanks and other science fiction. Next month, however, DARPA is hitting closer to home with “Plan X”, a one-day workshop designed to flesh out the U.S. government’s strategy for war in cyberspace.
Plan X is a two-pronged affair that consists of a general-access session for your standard contractors and government employees, and a secret session to map out where the US is going in the future of cyber warfare.
Oracle issued a patch today for Java 7. Coincidentally, Java 7 has also been the target of recent attacks thanks to a zero-day exploit. For now, though, its anyone’s guess whether or not the new Java 7 patch actually addresses the zero-day exploits, or to what extent.
First, a brief recap. A previously unknown flaw in Java was discovered, and a proof-of-concept (PoC) exploit was developed in the popular Metasploit Framework tool. Metasploit is a tool used by the good guys, but an exploit is an exploit, and the fact that the exploit PoC code was developed for Metasploit means that the exploit is now in the hands of many more would-be attackers.
According to the normal Oracle patch release schedule, the next routine update isn’t supposed to occur until October. However, Java is a popular and widely used platform, and it would probably be catastrophic for Oracle to wait a month or more to produce a patch.
Java is under attack again. A zero-day vulnerability in Java is being actively exploited in the wild. The current attacks seem to be targeted, but security experts warn that more widespread attacks could be imminent.
Next to Adobe Reader and Adobe Flash, Java is probably one of the most ubiquitous and widely used applications. Unfortunately, it also provides attackers with plenty of holes and vulnerabilities to exploit, which makes it a popular target.
Proof-of-concept (PoC) code has been developed for the Metasploit Framework tool. Wolfgang Kandek, CTO of Qualys, explains that this is concerning because it makes the exploit available to a much wider audience, and probably means more attacks targeting the Java vulnerability are on the horizon.
There never seems to be any shortage of Android malware reports circulating in the news, and today one came out that sounds alarming indeed.
“Android Under Attack: Malware Levels for Google’s OS Rise Threefold in Q2 2012” was the title of the press release from antivirus vendor Kaspersky announcing it, in fact, and right on cue headlines are popping up across the tech media echoing that dire warning.
But is it really as bad as all that? Probably not. In fact, as pointed out by security-focused publication The H on Thursday, data from competing firm F-Secure paint a very different picture for the very same time period. In fact, rather than a tripling of Android malware in the second quarter, F-Secure found only a modest rise.
It’s Patch Tuesday again. This month is busier than most because on top of Microsoft’s security bulletins, Adobe is also releasing updates for Reader and Acrobat.
Let’s start with Microsoft. There are nine new security bulletins for August, which resolve 26 different vulnerabilities. There are five rated as Critical—including a patch for Internet Explorer for the third consecutive month--and four Important.
Tyler Reguly, director of security research and development for nCircle, says, “The most interesting thing this month is the release of patches for two wormable issues, MS12-053 and MS12-054. These only affect the oldest-supported Windows platforms and really speaks well of the improvements Microsoft has made to their security efforts over the years.”