Another Flash Vulnerability: Update

On Monday, I posted a note about a new vulnerability in Adobe’s Flash Player, which also affects the browser plug-in.  It affects other Adobe software products, such as Reader and Acrobat, too, that incorporate the player functionality.  At that time, Adobe had not released a timetable for providing a fix.

Adobe has now published an updated Security Advisory [APSA 11-02], as well as a post at the Adobe Product Security Incident Response Team blog, updating their plans for releasing a fix for this vulnerability.   An update for Flash Player (including the browser plug-ins), probably the most vulnerable components, is scheduled to be released this Friday, April 15.   Updates for other Adobe products are also scheduled:

We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, and Solaris on Friday, April 15, 2011. We expect to make available an update for Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh no later than the week of April 25,

This is, potentially, a very serious vulnerability;  I will post a note here when a patch is actually available.  Those of you who use Google’s Chrome browser should also expect an update on or before Friday; I’ll post a note about that, too, as soon as I have any definite information.

 

High-Value Recycling

Bruce Schneier has a post at his Schneier on Security blog (link in the side bar) that refers to another instance of a security problem created by good old-fashioned human error.  As is the case with virtually every currency, the monetary authorities responsible for the Euro, the official currency of the Euro-zone (the majority but not all of the members of the European Union), have a process in place to remove worn-out or damaged coins from circulation.  The coins are then “destroyed” (as coins), and the materials sold to scrap metal dealers.  (This of course assumes that the materials are worth less than the face value of the coin; this is usually, but not always, the case.)

This is fine in principle; however, as the linked article from Der Spiegel relates, the implementation of the process left something to be desired in terms of security.  The problem stems, in the first instance, from the design of the €1 and €2 coins.   As you can see in the photo below, these coins are bimetallic, made up of an inner disc, surrounded by an outer ring.  (The photo shows the side of the coins that is common to all issues, regardless of nationality.)

 

Apparently the “destruction” procedure used for these coins sometimes just separated the inner disc from the outer ring.  The resulting pieces were then sold to dealers in China for recycling.   Apparently some of the Chinese firms carried out the recycling by putting the pieces back together (Krazy Glue, anyone?), and then sending them back to Germany via accomplices among Lufthansa flight crews.  The accomplices would then turn in the reconstructed coins at the German Bundesbank, in exchange for new ones.  The Bundesbank was not chosen as a redemption point at random.

According to a Thursday statement by the Frankfurt public prosecutors, the German Bundesbank is the only place in Europe which exchanges damaged coins for free. The bank accepts such coins in bags containing up to €1,000 worth of coins. They are weighed rather than counted and only periodically checked.

Apparently, the scam was finally uncovered when a German customs officer noticed an airline employee struggling with a very heavy suitcase, which, when opened, turned out to contain thousands of re-assembled coins.

 

Texas Data Breach

Down in Texas, they like to talk about doing things big.  Apparently, that extends to security screw-ups, too.  According to an article at the ThreatPost security blog, published by Kaspersky Labs, the Texas Comptroller’s office apparently lost track of some individuals’ data.

The Texas Comptroller’s Office is issuing letters Wednesday to some 3.5 million citizens after personally identifiable data was left exposed to the public on a state server for more than a year, according to a published statement. The exposed data included the names, addresses and Social Security Numbers and driver’s license numbers of citizens, many of them current and former State employees.

Apparently the data, which was intended for use in a system to track unclaimed property, had been transferred from other state agencies, put on a server at the Comptroller’s Office, and then forgotten.   The bulk of the data came from the Texas Workforce Commission, the Teacher Retirement System of Texas, and the Texas Employees’ Retirement System.   According to the article, the state’s administrative rules specify that any data to be transferred like this should first be encrypted, but that rule was apparently ignored, along with other unspecified internal procedures.

The agency is, of course, playing down the importance of the incident, although they have set up a mechanism for citizen inquiries.

The Texas Comptroller’s Office said it has no evidence the data was stolen or misused. Still, the agency has set up a website has and toll free phone line (1-855-474-2065) to provide additional details and recommended steps and resources for protecting identity information.

All of us that are involved in security issues spend a good deal of time talking about technical issues, software flaws, and other esoterica.  We all need to remember that good old-fashioned, garden-variety incompetence and stupidity are the biggest security threats of all.