Security Updates to Google Chrome

March 24, 2011

Google has released another new version, 10.0.648.204, of its Chrome Web browser, for Windows, Linux, Mac OS X, and Chrome Frame.  This version fixes six serious security vulnerabilities.  It also includes support for the password manager on Linux, as well as miscellaneous performance and stability fixes.  More information is in the Release Announcement on the official Chrome Releases blog.

I recommend installing this update as soon as you conveniently can. Windows users can obtain the new version via the built-in update mechanism (Help / About Google Chrome). Linux users should be able to get the new version using standard package update tools (e.g., apt-get, synaptic).

Security Update for Adobe Flash

March 24, 2011

Last week, Adobe issued a Security Advisory about a new critical vulnerability in its Flash Player; Adobe’s AIR product is also affected.   The company has now, as promised released a new version of the player,, for Windows, Mac OS X, Linux, and Solaris systems that incorporates a fix for the vulnerability.  A new version of AIR, 2.6, has also been released.  The complete list of affected software versions, according to Adobe, is:

  • Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player and earlier for Chrome users
  • Adobe Flash Player and earlier for Android
  • Adobe AIR 2.5.1 and earlier for Windows, Macintosh and Linux

More details are available in th updated Security Bulletin [APSB 11-05].

Updated versions of Flash Player can be downloaded from the Adobe download page.  Windows users can, alternatively, use th update mechanism built into the package.  Windows users should also note that they may need two updates: one for Internet Explorer, and one for all other borwsers.  The Google Chrome browser comes with the Flash Player included; Chrome users should be sure that they have at least version 10.0.648.134.   (Google released this version, and the later 10.0.648.151, last week.)   Android users can get the new version from the Android Marketplace.

Users of the AIR package can download the new version here.

Because of its security content, I recommend that you install this update as soon as you conveniently can.

Mozillla Releases Firefox 4

March 23, 2011

The Mozilla organization has released a new major version of its Firefox Web browser, Firefox 4, for Mac OS X, Windows, and Linux.  This release contains many new features, which are listed in the Release Notes; some of the more significant changes include:

  • A new, faster JavaScript engine
  • Support for the “Do Not Track”  header
  • Inclusion  of Firefox Sync, which allows you to keep bookmark lists on different devices synchronized
  • Improvements to HTML 5 support
  • Better utilization of graphics hardware

You can download the new version, in many different languages, from this download page.

Update Thursday, March 24, 15:00 EDT

The Internet Storm Center, run by th SANS Institute, has an interesting diary entry on new security features in Firefox 4.

Mozilla has also released a new version, 3.6.16, with security updates, for those who are not quite ready to move to the new major version; the Release Notes for 3.6.16 have more details.

Reality SATs ?

March 20, 2011

Taking the SAT test is one of the traditional rites of spring for high school students.  It seems that, in a test administration given last weekend, the essay question on some students’ exams has generated some controversy.  (For readers of my approximate vintage who may not know, the SAT was changed in 2005 to include an essay section.  We didn’t have that; you are not having a middle-aged moment.)  It seems that the essay question, or “prompt”, was related to the recent rapid growth in popularity of “reality television” shows.

Many of the negative comments from parents about this question ran more or less along the lines of, “My kid is serious and works hard; (s)he doesn’t have time to watch reality TV.”    There were also similar comments from students.  The College Board, which administers the SAT, said that the prompt contained sufficient information to write a top-scoring essay, and did not require any detailed knowledge of reality TV shows.  Here is the actual question from the exam, as quoted in the Washington Post:

Reality television programs, which feature real people engaged in real activities rather than professional actors performing scripted scenes, are increasingly popular. These shows depict ordinary people competing in everything from singing and dancing to losing weight, or just living their everyday lives.

Most people believe that the reality these shows portray is authentic, but they are being misled. How authentic can these shows be when producers design challenges for the participants and then editors alter filmed scenes?

Do people benefit from forms of entertainment that show so-called reality, or are such forms of entertainment harmful?

In this particular case, I think the College Board has the better argument.  Recall that the purpose of the essay section is to evaluate the student’s ability to formulate an argument, and express it in writing.  I certainly don’t watch reality TV shows — I can’t stand them — but I think I could write an acceptable essay on the basis of this question.  (In fact, I did talk about them a little in the context of the Colorado “Balloon Boy” back in the fall of 2009.)  I also have a bit of difficulty believing that there are high school students leading such sheltered lives that they have never seen one of these shows.   What I find a little disturbing about some of the complaints is the underlying notion that the essay had to be mainly an exercise in regurgitating facts, rather than an expression of ideas.

Alexandra Petri has an amusing blog post at the Washington Post site, on how this will affect the obsessive parent.

Where Does Science Come From?

March 20, 2011

The “Physics arXiv” blog at Technology Review has an interesting report on a new look at the geographic distribution of scientific research [abstract, PDF available], carried out by Lutz Bornmann at the Max Planck Society in Munich and Loet Leydesdorff at the University of Amsterdam.  The two researchers started with bibliometric data, giving the number of times scientific papers were cited in other research work, and combined them in a “Mash-up” with Google Maps, giving a graphic display of where scientific innovation occurs (to the extent that the citation data captures this, of course)    They also compute a simple measure of the proportion of widely-cited papers (defined as the top decile in citations) to the total number of papers cited.  They have produced maps for papers in physics, chemistry, and psychology; dark green circles show locations with a high proportion of widely-cited papers relative to the total.  The size of the circle is proportional to the total number of papers.  (The initial view of these shows the whole world, which makes seeing details difficult, but they can be zoomed and panned, like any Google map.)

The results don’t reveal anything drastically different from what one might have expected.  There are some places, not especially large (e.g., Cambridge, England and Princeton, NJ) that produce a higher than expected proportion of widely-cited papers.  On the other hand, Moscow produces a lot of physics papers (big circle), but a lower than expected number of widely-cited ones (red circle).

The citation data, of course, is certainly not the last word on the relative importance of scientific research.  But it is interesting to see the data presented in this way.  If nothing else, it seems to suggest that the fear that the US and Europe are somehow “falling behind” in research is a bit overblown.

Sanitizing Solid-State Disks

March 18, 2011

I’ve posted here a number of times about the security risks inherent in keeping confidential data in digital form, citing, for example,  incidents involving data base hacks and laptop carelessness. We’ve also looked at the risks of data left on discarded hardware, and even data that may be left on digital photocopiers.   There are various ways of reducing these risks, ranging from encryption of the stored data to physical destruction of the media before disposal.   The US government has standards for “sanitizing” hard disk devices, which typically require that data blocks be overwritten several times with binary patterns.

The introduction of new technologies often presents new problems, or old problems in a new light.  According to a presentation at the Ninth USENIX Conference on File and Storage Technologies [FAST ’11], held in February, the growing use of solid-state disk [SDD] devices has added some new challenges to the job of making sure sensitive data is rendered unrecoverable.  The paper [PDF], by a group of researchers at the University of California at San Diego, shows that the differences in storage technology and access methods between conventional disk drives and SSDs mean that techniques used to sanitize conventional drives are not necessarily effective for SSDs.

Rather than using rotating magnetic platters, SSDs use flash memory chips to store data.  They typically also include an indirection layer between the logical [disk] block addresses used by the OS, and the idiosyncratic physical access methods used by the flash hardware.  The additional indirection also enhances performance and provides more even “wear” on the SSD — the lifetime of flash memory has many fewer write cycles than a conventional disk.  Furthermore, flash memory typically cannot update data in place, but has to record a new copy while marking the old version invalid.  Some SSD devices also have additional shadow storage locations, not directly visible to the host system.  All of these factors make the traditional overwriting approach problematic, and the tests carried out by the researchers demonstrated that, although overwriting sometimes worked, it was not viable in all cases.  (They used a purpose-built flash chip reader to verify the contents of the device.)

One solution that is offered by some manufacturers is a “secure erase” command; commands of this type are part of the standard ATA and SCSI command sets.  This, if implemented correctly, is a good solution; unfortunately, out of nine SSD devices the team tested, only four supported the secure erase operation and performed it correctly.  Other devices either did not support secure erase, or it failed to work; one drive reported success, but left all of the data intact.

Another potential solution builds on the [good] idea of keeping the data encrypted.  Some drives offer the capability of hardware encryption of all data written; the encryption key is stored in the device’s “private” storage.  In principle, assuming the encryption is reasonably robust, destroying the key in private storage will render the data effectively inaccessible.  One attractive feature of this approach is speed; the key destruction operation is typically an order of magnitude faster than a secure erase.   This requires, though,  that the device securely remove the key, without leaving open any avenues for other, side-channel attacks.  Unfortunately, it is difficult or impossible to verify that this operation has been correctly performed.

Finally, the researchers found that no existing techniques were adequate to sanitize individual files on SSD devices.

In an earlier paper [PDF], two of the researchers, Michael Wei and Steven Swanson, have proposed a new technique, which they call SAFE [“Scramble and Finally Erase”], for reliably sanitizing SSDs.  The procedure involves encrypted data storage; when the drive is to be sanitized, the encryption key is destroyed first, then each block on the device is erased.  The authors propose this as a general approach for sanitizing SSD devices.

Solid-state disks are a relatively new technology, and I expect the implementation of capabilities like secure erasing to improve.  But this should serve as a reminder that, where security is concerned, we mustn’t take anything for granted.

Oh, by the way: just as with conventional disks, a sledgehammer works nicely on SSDs.  

Ars Technica also has an article summarizing some of these results.

Google Chrome Update for Today

March 17, 2011

Google has once again released a new version of its Chrome browser, 10.0.648.151, for all platforms (Windows, Linux, Mac OS X, Chrome Frame).  The announcement, in the Chrome Releases blog, says that this update “blacklists a small number of HTTPS certificates”.  (These certificates are the cryptographic credentials used in establishing secure browsing sessions.)    Without more details on what has been blocked, it’s difficult to assess how important this update is; it’s worth having, but I know of no special urgency involved.

Windows users can obtain the new version via the built-in update mechanism (Help / About Google Chrome). Linux users should be able to get the new version using standard package update tools (e.g., apt-get, synaptic).

%d bloggers like this: