Security

Original release date: May 08, 2012 | Last revised: -- Systems Affected Microsoft Windows Microsoft .NET Framework Microsoft Office Microsoft Silverlight Overview Select Microsoft software products contain multiple vulnerabilities.  Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for May 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for May 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for May 2012 - Microsoft Windows Server Update Services - Microsoft Update - Microsoft Update Overview - Turn Automatic Updating On or Off - Revision History May 08, 2012: Initial release

Original release date: April 10, 2012 | Last revised: -- Systems Affected Adobe Reader X (10.1.2) and earlier 10.x versions for Windows and Macintosh Adobe Reader 9.5 and earlier 9.x versions for Windows, Macintosh, and UNIX Adobe Acrobat X (10.1.2) and earlier 10.x versions for Windows and Macintosh Adobe Acrobat 9.5 and earlier 9.x versions for Windows and Macintosh Overview Adobe has released Security Bulletin APSB12-08, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. As part of this update, Adobe Reader and Acrobat 9.x will use the system-wide Flash Player browser plug-in instead of the Authplay component. In addition, Reader and Acrobat now disable the rendering of 3D content by default. Description Adobe Security Bulletin APSB12-08 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Adobe Reader and Acrobat versions 9.x through 9.5, and Reader X and Acrobat X versions prior to 10.1.3. The Adobe ASSET blog provides additional details on new security architecture changes to Adobe Reader and Acrobat. Adobe Reader and Acrobat 9.5.1 will use the Adobe Flash Player plug-in version installed on the user’s system rather than the Authplay component that ships with Adobe Reader and Acrobat. This change helps limit the number of out-of-date, vulnerable Flash runtimes available to an attacker. Adobe Reader and Acrobat 9.5.1 also now disable rendering of 3D content by default because the 3D rendering components have a history of vulnerabilities. US-CERT recommends that Flash users upgrade to the latest version of Adobe Flash Player and turn on automatic updates. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. This can happen automatically as the result of viewing a webpage. Impact These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file. Solution Update Reader Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB12-08 and update vulnerable versions of Adobe Reader and Acrobat. In addition to updating, please consider the following mitigations. Disable JavaScript in Adobe Reader and Acrobat Disabling JavaScript may prevent some exploits from resulting in code execution. You can disable Acrobat JavaScript using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript). Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this framework may be useful when specific APIs are known to be vulnerable or used in attacks. Prevent Internet Explorer from automatically opening PDF files The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF files in the web browser Preventing PDF files from opening inside a web browser will partially mitigate this vulnerability. Applying this workaround may also mitigate future vulnerabilities. To prevent PDF files from automatically being opened in a web browser, do the following: 1. Open Adobe Acrobat Reader. 2. Open the Edit menu. 3. Choose the Preferences option. 4. Choose the Internet section. 5. Uncheck the "Display PDF in browser" checkbox. Do not access PDF files from untrusted sources Do not open unfamiliar or unexpected PDF files, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. References Security update available for Adobe Reader and Acrobat - Adobe Reader and Acrobat JavaScript Blacklist Framework - Background on Security Bulletin APSB12-08 - Adobe Flash Player - Adobe Flash vulnerability affects Flash Player and other Adobe products - Vulnerability Notes with advice to disable 3D rendering - Revision History April 10, 2012: Initial release

Original release date: April 10, 2012 | Last revised: -- Systems Affected Microsoft Windows Microsoft Internet Explorer Microsoft .NET Framework Microsoft Office Microsoft Server Software Microsoft SQL Server Microsoft Developer Tools Microsoft Forefront United Access Gateway Overview There are multiple vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Microsoft Server Software, Microsoft SQL Server, Microsoft Developer Tools, and Microsoft Forefront United Access Gateway.  Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for April 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for April 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. References Microsoft Security Bulletin Summary for April 2012 - Microsoft Windows Server Update Services - Microsoft Update - Microsoft Update Overview - Turn Automatic Updating On or Off - Revision History April 10, 2012: Initial release

Original release date: March 13, 2012 Last revised: -- Source: US-CERT Systems Affected Microsoft WindowsMicrosoft Visual StudioMicrosoft Expression Design Overview There are multiple vulnerabilities in Microsoft Windows, Microsoft Visual Studio, and Microsoft Expression Design. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for March 2012 describes multiple vulnerabilities in Microsoft Windows, Microsoft Visual Studio, and Microsoft Expression Design. Microsoft has released updates to address the vulnerabilities. II. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. III. Solution Apply updatesMicrosoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. IV. References Microsoft Security Bulletin Summary for March 2012 - Microsoft Windows Server Update Services - Microsoft Update - Microsoft Update Overview - Turn Automatic Updating On or Off - Feedback can be directed to US-CERT. Produced 2012 by US-CERT, a government organization. Terms of use Revision History March 13, 2012: Initial release

Original release date: February 14, 2012 Last revised: -- Source: US-CERT Systems Affected Microsoft WindowsMicrosoft Internet ExplorerMicrosoft .NET FrameworkMicrosoft SilverlightMicrosoft OfficeMicrosoft Server Software Overview There are multiple vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Silverlight, Office, and Microsoft Server Software. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for February 2012 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities. II. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. III. Solution Apply updatesMicrosoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for February 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. IV. References Microsoft Security Bulletin Summary for February 2012 - Microsoft Windows Server Update Services - Microsoft Update - Microsoft Update Overview - Turn Automatic Updating On or Off - Feedback can be directed to US-CERT. Produced 2012 by US-CERT, a government organization. Terms of use Revision History February 14, 2012: Initial release

Original release date: January 24, 2012 Last revised: -- Source: US-CERT Overview US-CERT has received information from multiple sources about coordinated distributed denial-of-service (DDoS) attacks with targets that included U.S. government agency and entertainment industry websites. The loosely affiliated collective "Anonymous" allegedly promoted the attacks in response to the shutdown of the file hosting site MegaUpload and in protest of proposed U.S. legislation concerning online trafficking in rightsed intellectual property and counterfeit goods (Stop Online Piracy Act, or SOPA, and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, or PIPA). I. Description US-CERT has evidence of two types of DDoS attacks: One using HTTP GET requests and another using a simple UDP flood.The Low Orbit Ion Cannon (LOIC) is a denial-of-service attack tool associated with previous Anonymous activity. US-CERT has reviewed at least two implementations of LOIC. One variant is written in JavaScript and is designed to be used from a web browser. An attacker can access this variant of LOIC on a website and select targets, specify an optional message, throttle attack traffic, and monitor attack progress. A binary variant of LOIC includes the ability to join a botnet to allow nodes to be controlled via IRC or RSS command channels (the "HiveMind" feature).The following is a sample of LOIC traffic recorded in a web server log:"GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200 99406 "hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"The following sites have been identified in HTTP referrer headers of suspected LOIC traffic. This list may not be complete. Please do not visit any of the links as they may still host functioning LOIC or other malicious code."hxxp://3g.bamatea.com/loic.html""hxxp://anonymouse.org/cgi-bin/anon-www.cgi/""hxxp://chatimpacto.org/Loic/""hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/""hxxp://event.seeho.co.kr/loic.html""hxxp://pastehtml.com/view/bl3weewxq.html""hxxp://pastehtml.com/view/bl7qhhp5c.html""hxxp://pastehtml.com/view/blafp1ly1.html""hxxp://pastehtml.com/view/blakyjwbi.html""hxxp://pastehtml.com/view/blal5t64j.html""hxxp://pastehtml.com/view/blaoyp0qs.html""hxxp://www.lcnongjipeijian.com/loic.html""hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/fnorefer""hxxp://www.tandycollection.co.kr/loic.html""hxxp://www.zgon.cn/loic.html""hxxp://zgon.cn/loic.html""hxxp://www.turbytoy.com.ar/admin/archivos/hive.html"The following are the A records for the referrer sites as of January, 20, 2012:3g[.]bamatea[.]com                A    218[.]5[.]113[.]218cybercrime[.]hostzi[.]com         A    31[.]170[.]161[.]36event[.]seeho[.]co[.]kr           A    210[.]207[.]87[.]195chatimpacto[.]org                 A    66[.]96[.]160[.]151  anonymouse[.]org                  A    193[.]200[.]150[.]125pastehtml[.]com                   A    88[.]90[.]29[.]58lcnongjipeijian[.]com             A    49[.]247[.]252[.]105www[.]rotterproxy[.]info          A    208[.]94[.]245[.]131www[.]tandycollection[.]co[.]kr   A    121[.]254[.]168[.]87www[.]zgon[.]cn                   A    59[.]54[.]54[.]204www[.]turbytoy[.]com[.]ar         A    190[.]228[.]29[.]84The HTTP requests contained an "id" value based on UNIX time and user-defined "msg" value, for example:GET /?id=1327014189930&msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20Other "msg" examples:msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20msg=:)msg=:Dmsg=Somos%20Legion!!!msg=Somos%20legi%C3%B3n!msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1" 200 99406 "http://pastehtml.com/view/bl7qhhp5c.html"msg=We%20Are%20Legion!msg=ghmsg=open%20megauploadmsg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer%20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidosmsg=stop%20SOPA!!msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not%20forgive.%20We%20do%20not%20forget.%20Expect%20us!The "msg" field can be arbitrarily set by the attacker.As of January 20, 20012, US-CERT has observed another attack that consists of UDP packets on ports 25 and 80. The packets contained a message followed by variable amounts of padding, for example:66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 | flood.........Target selection, timing, and other attack activity is often coordinated through social media sites or online forums.US-CERT is continuing research efforts and will provide additional data as it becomes available. III. Solution There are a number of mitigation strategies available for dealing with DDoS attacks, depending on the type of attack as well as the target network infrastructure. In general, the best practice defense for mitigating DDoS attacks involves advanced preparation.Develop a checklist or Standard Operating Procedure (SOP) to follow in the event of a DDoS attack. One critical point in a checklist or SOP is to have contact information for your ISP and hosting providers. Identify who should be contacted during a DDoS, what processes should be followed, what information is needed, and what actions will be taken during the attack with each entity.The ISP or hosting provider may provide DDoS mitigation services. Ensure your staff is aware of the provisions of your service level agreement (SLA).Maintain contact information for firewall teams, IDS teams, network teams and ensure that it is current and readily available.Identify critical services that must be maintained during an attack as well as their priority. Services should be prioritized beforehand to identify what resources can be turned off or blocked as needed to limit the effects of the attack. Also, ensure that critical systems have sufficient capacity to withstand a DDoS attack.Have current network diagrams, IT infrastructure details, and asset inventories. This will assist in determining actions and priorities as the attack progresses.Understand your current environment and have a baseline of daily network traffic volume, type, and performance. This will allow staff to better identify the type of attack, the point of attack, and the attack vector used. Also, identify any existing bottlenecks and remediation actions if required.Harden the configuration settings of your network, operating systems, and applications by disabling services and applications not required for a system to perform its intended function. Implement a bogon block list at the network boundary.Employ service screening on edge routers wherever possible in order to decrease the load on stateful security devices such as firewalls.Separate or compartmentalize critical services:Separate public and private servicesSeparate intranet, extranet, and internet servicesCreate single purpose servers for each service such as HTTP, FTP, and DNSReview the US-CERT Cyber Security Tip Understanding Denial-of-Service Attacks. IV. References Cyber Security Tip ST04-015 - Anonymous's response to the seizure of MegaUpload according to CNN - The Internet Strikes Back #OpMegaupload - Twitter Post from the author of the JavaScript based LOIC code - Anonymous Operations tweets on Twitter - @Megaupload Tweets on Twitter - LOIC DDoS Analysis and Detection - Impact of Operation Payback according to CNN - OperationPayback messages on YouTube - The Bogon Reference - Team Cymru - Feedback can be directed to US-CERT. Produced 2012 by US-CERT, a government organization. Terms of use Revision History January 24, 2012: Initial release

Original release date: January 10, 2012 Last revised: -- Source: US-CERT Systems Affected Microsoft WindowsMicrosoft Developer Tools and Software Overview There are multiple vulnerabilities in Microsoft Windows and Microsoft Developer Tools and Software. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for January 2012 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities. II. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. III. Solution Apply updatesMicrosoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for January 2012. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References Microsoft Security Bulletin Summary for January 2012 - Microsoft Windows Server Update Services - Feedback can be directed to US-CERT. Produced 2012 by US-CERT, a government organization. Terms of use Revision History January 10, 2012: Initial release

Original release date: January 06, 2012 Last revised: -- Source: US-CERT Systems Affected Most Wi-Fi access points that support Wi-Fi Protected Setup (WPS) are affected. Overview Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure secure wireless networks. The external registrar PIN exchange mechanism is susceptible to brute force attacks that could allow an attacker to gain access to an encrypted Wi-Fi network. I. Description WPS uses a PIN as a shared secret to authenticate an access point and a client and provide connection information such as WEP and WPA passwords and keys. In the external registrar exchange method, a client needs to provide the correct PIN to the access point.An attacking client can try to guess the correct PIN. A design vulnerability reduces the effective PIN space sufficiently to allow practical brute force attacks. Freely available attack tools can recover a WPS PIN in 4-10 hours.For further details, please see Vulnerability Note VU#723755 and further documentation by Stefan Viehbock and Tactical Network Solutions. II. Impact An attacker within radio range can brute-force the WPS PIN for a vulnerable access point. The attacker can then obtain WEP or WPA passwords and likely gain access to the Wi-Fi network. Once on the network, the attacker can monitor traffic and mount further attacks. III. Solution Update FirmwareCheck your access point vendor's support website for updated firmware that addresses this vulnerability. Further information may be available in the Vendor Information section of VU#723755 and in a Google spreadsheet called WPS Vulnerability Testing.Disable WPSDepending on the access point, it may be possible to disable WPS. Note that some access points may not actually disable WPS when the web management interface indicates that WPS is disabled. IV. References Vulnerability Note VU#723755 - Wi-Fi Protected Setup PIN brute force vulnerability - Cracking WiFi Protected Setup with Reaver - WPS Vulnerability Testing - Feedback can be directed to US-CERT. Produced 2012 by US-CERT, a government organization. Terms of use Revision History January 06, 2012: Initial release

Original release date: December 16, 2011 Last revised: -- Source: US-CERT Systems Affected Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and MacintoshAdobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh, and UNIXAdobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and MacintoshAdobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh Overview Adobe has released Security Bulletin APSB11-30, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. I. Description Adobe Security Bulletin APSB11-30 and Adobe Security Advisory APSA11-04 describe a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Reader and Acrobat 9.4.6 and earlier 9.x versions. These vulnerabilities also affect Reader X and Acrobat X 10.1.1 and earlier 10.x versions.An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in, which can automatically open PDF documents hosted on a website, is available for multiple web browsers and operating systems.Adobe Reader X and Adobe Acrobat X will be patched in the next quarterly update scheduled for January 10, 2012.Additional details for the U3D memory corruption vulnerability can be found in US-CERT Vulnerability Note VU#759307. II. Impact These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file. III. Solution Update ReaderAdobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB11-30 and update vulnerable versions of Adobe Reader and Acrobat.In addition to updating, please consider the following mitigations.Disable Flash in Adobe Reader and AcrobatDisabling Flash in Adobe Reader will mitigate attacks that rely on Flash content embedded in a PDF file. Disabling 3D & Multimedia support does not directly address the vulnerability, but it does provide additional mitigation and results in a more user-friendly error message instead of a crash. To disable Flash and 3D & Multimedia support in Adobe Reader 9, delete, rename, or remove access to these files:Microsoft Windows"%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll""%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll"Apple Mac OS X"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle""/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework"GNU/Linux (locations may vary among distributions)"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so""/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"File locations may be different for Adobe Acrobat or other Adobe products that include Flash and 3D & Multimedia support. Disabling these plugins will reduce functionality and will not protect against Flash content that is hosted on websites. Depending on the update schedule for products other than Flash Player, consider leaving Flash and 3D & Multimedia support disabled unless they are absolutely required.Disable JavaScript in Adobe Reader and AcrobatDisabling JavaScript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript).Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this framework may be useful when specific APIs are known to be vulnerable or used in attacks.Prevent Internet Explorer from automatically opening PDF filesThe installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file:Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\AcroExch.Document.7]"EditFlags"=hex:00,00,00,00Disable the display of PDF files in the web browserPreventing PDF files from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied, it may also mitigate future vulnerabilities.To prevent PDF files from automatically being opened in a web browser, do the following:1. Open Adobe Acrobat Reader.2. Open the Edit menu.3. Choose the Preferences option.4. Choose the Internet section.5. Uncheck the "Display PDF in browser" checkbox.Remove or restrict access to 3difr.x3dBy removing or restricting access to the 3difr.x3d file, Adobe Reader and Acrobat will fail to render U3D content, which helps to mitigate this vulnerability. PDF documents that use the PRC format for 3D content will continue to function on Windows and Linux platforms.To disable U3D support in Adobe Reader 9 on Microsoft Windows, delete or rename this file:    "%ProgramFiles%\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d"For Apple Mac OS X, delete or rename this directory:    "/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework"For GNU/Linux, delete or rename this file (locations may vary among distributions):    "/opt/Adobe/Reader9/Reader/intellinux/plug_ins3d/3difr.x3d"File locations may be different for Adobe Acrobat or other Adobe products or versions.Do not access PDF files from untrusted sourcesDo not open unfamiliar or unexpected PDF files, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References Security update available for Adobe Reader and Acrobat - Adobe Reader and Acrobat JavaScript Blacklist Framework - Adobe Acrobat and Reader U3D memory corruption vulnerability - Security Advisory for Adobe Reader and Acrobat - Feedback can be directed to US-CERT. Produced 2011 by US-CERT, a government organization. Terms of use Revision History December 16, 2011: Initial release

Original release date: December 13, 2011 Last revised: -- Source: US-CERT Systems Affected Microsoft WindowsMicrosoft OfficeInternet Explorer Overview There are multiple vulnerabilities in Microsoft Windows, Office, and Internet Explorer. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for December 2011 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities. Additional details for MS11-091 can be found in US-CERT vulnerability note VU#361441. II. Impact A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system. III. Solution Apply updatesMicrosoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for December 2011. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References Microsoft Security Bulletin Summary for December 2011 - Microsoft Windows Server Update Services - US-CERT Vulnerability Note VU#361441 - Feedback can be directed to US-CERT. Produced 2011 by US-CERT, a government organization. Terms of use Revision History December 13, 2011: Initial release

Gartner group vice president of Asia Pacific Warren Anderson is not only active in the IT industry in Australia, but also competes internationally in triathlons, so he needs to travel, and often. Here are his travel tips.

Warren Anderson
(Credit: Gartner)

Gartner provides research and insights into the IT industry, delving into the nuts and bolts of business technology.

What tech do you travel with, and why?

I never go anywhere without my BlackBerry, and would be so lost without it. As I travel so much, I am either in planes or in meetings, and, so, I need to be in constant contact with the business across the region and with the mother ship in the US. I am still a "button" guy, so getting me to type on a touchscreen will take a lot of changing. I do take my laptop PC with me if I need to work on any documents, but have just added an iPad to my travel technology, and view documents and email on that. So, unless I need to work on documents on a plane and save them, I don't touch the PC. What's your favourite phone app for travelling and why?

My favourite app for travelling is FaceTime. It allows [me] to contact my kids and wife on their iPads by video, which makes travelling just a little more bearable. As it is video [on] a portable device, it feels just a little more real since you can move around with them, rather than having them tied to a PC using video. It is my job to read with my son at night; FaceTime means we still have that time together when I am away, and he can even show me how far he has progressed on Call of Duty or Halo. I have some family in New Zealand: their eldest son has just gone away to uni, but they still have dinner with him on FaceTime, each night. He sits at his normal spot at the dinner table, on his iPad.

Most memorable travel story/experience?

I was recently sitting on a plane to New Zealand, when a famous actor came and sat next to me. He had a very familiar face; I knew him from being in The Lord of The Rings and I knew my daughters would be very impressed. I couldn't remember his name, so I did a search on my phone as soon as I landed. He happened to lean over, saw what I was searching for and had a big laugh. I said it was for my daughters. I'm not sure he believed me, but they were still very impressed. It was Orlando Bloom.

Personal travel advice/tip?

I think that everyone is always willing to give advice on what the best things are to do, but I think that in all the years I have been travelling, I have never met someone with the same habits as myself. I think we all try different things, and then do what works best for ourselves. For me, I always leave home with the motto that as long as I have my passport, my BlackBerry and my credit card, there is no problem I can't solve.

How do you deal with jet lag?

I always arrange for my flights to arrive at the destination early evening and then I don't sleep on planes, other than a 30-minute nap. When I arrive, I go for a ride or a run in the gym, have a couple of beers, a big meal and then have a good eight or nine hours of sleep. This works even when I travel to the US. It is definitely something that you get better at, the more you travel, but I would rather be tired on a plane, than have to struggle with jet lag whilst I am trying to work.

What (if any) travel websites do you use?

I use Wotif and Qantas.

What was your biggest travel disaster?

My assistant books all my travel, but, on a recent trip to India, I decided to take my wife and daughters with me, so I booked the same flights for them online. On the return leg, we had a flight leaving at Mumbai at 10 minutes past midnight. To get into the airport, you needed to show your passport and itinerary to pretty heavily armed soldiers. They ushered me through, and then stopped my wife and daughters outside the airport, saying that they couldn't come into the airport, as their flights were only booked for the following day. They had to wait outside the airport for two hours whilst I tried, desperately, to get them onto flights. They finally found a flight with a business-class seat and three economy seats, and, so, I then went to tell a pretty irate wife how good I was. Guess who sat in economy with the kids?

Where is the best place you've been for duty-free tech shopping?

I used to say Singapore Airport, but, with the outlet shopping in the US now, being able to get special tax credits at the stores, the strength of the Aussie dollar and just the cheap price of tech and clothes, I would have to say the US.

What is your dream travel tech to have on planes/in airports/at hotels?

I would really like wireless electricity.

Favourite destination city to work/visit and why?

I would have to say home, in Brisbane, as it is always so nice to get home. Although, I am sure that one day, I will find out that there is a huge radiation cloud above my house, as my wife and three kids all have laptops, iPads, phones, iPods, etc, and most of our media is wireless. We have fantastic wireless access at home in every room, so I can work from my office or from bed at night, with the same device. One of my Gartner colleagues introduced me to Sonos speakers last year, so now we have them throughout the house and can stream music, legally, to all speakers separately or linked together - very, very cool.

One of the most celebrated IPOs in history, which raised US$16 billion dollars, ended the day below where it started. At Facebook, it's back to business.

After Zuckerberg rang the bell
(Credit: James Martin/CNET)

After an all-night 'hackathon' at Facebook headquarters in Menlo Park, California, Founder Mark Zuckerberg rang the ceremonial Nasdaq bell from his home turf and the trading started. Almost. There were glitches that stalled things. Financial news anchors vamped breathlessly. And, ultimately, ticker symbol FB traded for a shortened day, just about five hours.

There was no 1999-style pop, but the stock did climb. In fact, it opened at just above US$42 dollars - 11 per cent above the offering price of US$38 a share. That's how much demand there was. In fact, the trading volume set an all-time record for the Nasdaq. But this demand didn't want to stick around. These weren't bets on Facebook's grand future. These were attempt to make a quick buck.

And when the shares started to fall towards their opening price, apparently the bankers worked like mad to try to "support the deal". In other words, the investment bankers, who have an agreement to make a market in the stock, likely began buying shares themselves to keep it afloat.

And it makes sense. The bankers don't want to see the price close below the offering price. At the close, the stock was priced at US$38.27 - below where it opened, and just above the offering price. For the bankers, this was not casual Friday.

It's too late now, of course, but you can bet the bankers are wishing they were able to get this deal done a few months back. Timing is everything, and in this case, theirs was not ideal. Think about it: in the last couple of months, the stock market overall has taken a sharp turn south amid continued worries about Europe and, in particular, Greece.

But the problems that have cast doubt on Facebook are closer to home as well. In April, two months after the company filed to go public, Facebook reported a slowdown in revenue and a drop in profits, highlighting that the days of hyper-growth are coming to and end. Zuckerberg then spent a surprising US$1 billion cash and stock to buy the photo-sharing app Instagram, drawing attention to Facebook's problem in mobile.

Mobile is where Facebook's growth is, and yet Facebook doesn't yet have a way to make money money from mobile users. The company last week amended its S-1 filing with the SEC to underscore the mobile challenge, and Zuckerberg reportedly told potential investors that mobile is his top priority for 2012.

Then there was General Motors, which earlier this week pulled US$10 million of ads from Facebook because, it said, they weren't working.

Throughout it all, however, the big investors wanted in, and on Wednesday the company upped the price range of the stock offering. Despite warnings, few fund managers wanted to miss out. But plenty seemingly also don't want to be left holding too much.

For the gang at Facebook, however, the party continued. Facebook posted back-slapping photos and videos for the celebrations from the sprawling campus that was once home to Sun Microsystems.

Now, the eight-year-old Facebook has a fat pile of cash and sports a market value that, at almost US$110 billion dollars, is more than US$15 billion higher than Amazon's. Google, which is in many ways Facebook's biggest competitor, has a market cap of US$196 billion. In short, Facebook is now among the big boys - in almost every sense.

The one place it's falling short is bottom line. Sure, Facebook makes money, and it's on track to do more than US$4 billion in revenue for 2012. But Google did 10 times that last year. So Zuck and team, now under Wall Street's watchful and sometimes distracting eye, need to buckle down and figure start figuring out how to make more money from its 900 million users. Zuckerberg's hardest test awaits.

Via CNET

Under new management: First revamp passes one million downloads

Details have emerged about the security fixes that came bundled with Apache OpenOffice 3.4.0, the latest version of the open-source productivity suite.…

18 months' porridge for banking malware-spreader

A Brit who distributed a Trojan horse that posed as a patch for popular shoot-em-up game Call of Duty has been jailed for 18 months.…

But plenty of caveats apply

The number of prosecutions under the UK's computer hacking laws may have declined over recent years, according to the latest available government figures.…

The way in which IT departments have been approaching information security is flawed, according to Juniper Networks senior director and security architect Christopher Hoff, who said that security departments need to adopt automation to free up their time to think outside the box.

Christopher Hoff
(Credit: Michael Lee/ZDNet Australia)

Speaking to ZDNet Australia, and presenting at AusCERT 2012 earlier this week, Hoff said that security experts tend to only set up reactive plans on how they think systems might break, without taking into account the unpredictable ways in which complex systems of today actually do fail.

"Every once in a while, we test certain things, but we test them as though you hit the first domino and every other domino hits the other one, and there's this linear sequence of events that happens," he said.

"What normally happens is chaos ensures people don't respond the same way, technology doesn't respond the same way you expect it to and so what ends up happening in complex distributed systems is you end up with complex distributed outcomes that aren't always predictable."

Rather than being a reactive force, focusing on threats and vulnerabilities as they become public, security teams should be trying to break their own systems, so that they can manage their risk, he said.

But security experts haven't been able to do this, because they have been treading water for years, Hoff said. This is because it's difficult, if not impossible, to keep up with new technologies and their associated threats, which are being rolled out at an increasingly faster pace. The only way to be able to experiment with systems in that way is to use automation to do basic security jobs that steal the team's time.

Such automation measures can include setting up systems so that they automatically notify each other that they are under attack, even when they are on completely separate layers.

"It's amazing to me that infrastructure can be under attack, and the apps don't know about it and vice versa. We have the capabilities ... we know how to exchange information about vulnerability and threat. It's silly that we don't."

Although automation seems like quite a logical step, it isn't as simple to execute. Hoff said that many chief information security officers (CISOs) and CIOs are struggling with the "technical debt" that they have inherited, and are weighed down by the need to maintain what are now considered as being legacy platforms. Newer platforms running over the cloud are more suitable for automation, he said.

"Large enterprises with tons of applications and legacy infrastructure have a more difficult chore. [Enterprise customers] kind of get mad at me, or at least upset and grumpy about the fact that I keep pointing out [new infrastructure models]. What their frustration stems from is just being saddled with all of this stuff that in many cases, if they could, they would just move off their plate."

As someone who has worked on both sides of the fence, and also in start-ups and large enterprise environments, Hoff is sympathetic to the frustrated CISO. However, he promised that the benefit of taking the time to set up automated procedures is worth the pain.

"I've been in the trenches, I've been a CISO, I know what it's like. It took me three years to, across the entire company, establish a risk-management program that folded in IT and all of the business and audit, and it's a tremendous amount of work, but it moved us forward and to the point of really making a difference," he said.

"A lot of that was stopping doing simple routine tasks and automating as much as we possibly could, and testing the heck out of the domain and [other] areas [for] impacts that a failure would produce."

What's an IPO and why is Facebook doing it? How's this year's AusCERT? Where's our slice of Raspberry Pi? And where are Josh and Michael?

On this week's Piccolo-sized Technolatte:

• Facebook launches its IPO

• What's happening at AusCERT 2012

• How many Raspberry Pi computers are there in Australia?

Subscribe to Technolatte on iTunes.

Running time: 14 minutes, 21 seconds

The Victorian Government has made the decision to scrap its HealthSMART system, which was years overdue and had run hundreds of millions of dollars over budget.

HealthSMART was launched in 2003 and had been designed to run as a single electronic foundation for the state's public health service. The single platform would combine a finance system, as well as patient-management and clinical-applications services.

However, Health Minister David Davis today confirmed that the government had scrapped the continuation of the roll-out of HealthSMART, with the government to now work on a hospital-by-hospital basis, to set up individualised systems.

Davis said the government is determined not to "throw more good money, after bad" and would set up an expert panel to advise it on the best way to upgrade the hospital information and communication technology (ICT) systems.

"In those hospitals where it has been put in place or partially put in place, health services will make their decisions from that position, but going forward, beyond that, health services will be able to examine what is appropriate for their particular service," he said.

The new ICT projects would be payed for through the $100 million innovation fund, allocated in this month's Budget.

The road to the system's cancellation is one littered with blowouts and delays; $323 million was originally budgeted for the system and a deadline for completion was set for the end of 2007.

Administrative issues and bureaucratic headaches saw the system miss its initial deadline. The government laid out hundreds of millions of dollars in additional funding, eventually taking the project's final bill to a total of $566 million, although the system is only operational in four health services.

When the Baillieu-led coalition government delivered its first state Budget, State Treasurer Kim Wells tore the delayed systems implementation to proverbial shreds, blaming it and the troubled Myki public transport ticketing project for heavily contributing to the state's $7 billion debt figures.

"Major projects inherited by this government - including Myki ... and HealthSMART - face significant cost overruns, which total around $2 billion, and have further contributed to the run-up of debt," the treasurer said in May, last year.

Despite the bashing, HealthSMART received an additional $6.7 million in funding in the most recent Budget.

Confluence customers urged to upgrade

Atlassian has warned of a critical security flaw in its Confluence product.…

Attorney-General Nicola Roxon today said that the US and Australia have agreed on a statement of intent to increase collaboration on cybersecurity.

"The new and emerging challenges of a digital economy were the subject of recent talks in Canberra between myself and secretary [of the US Department of Homeland Security, Janet] Napolitano. And yesterday, in Washington, we built upon those discussions," Roxon said in a statement.

Countries are ever more reliant on critical infrastructure, such as telecommunications, she said, which are the backbone of increasingly important online commerce. Because of this, Australia and the US have to increase their resilience to malicious activity, she said.

"This statement will lead to increased collaboration between the two countries on critical infrastructure, particularly digital control systems."

Australia will now share information on operational security between their national cyber-incident teams, exchange security best practices for IT and industrial-control systems, work together on cybersecurity exercises and encourage training and education on security.

Officials will meet to decide on a timetable of work, and to uncover issues that might arise. The governments have previously signed statements for increased intelligence sharing and easier travel between the countries.