Adobe Updates Reader. Acrobat

April 21, 2011

Adobe has released new versions of its Reader and Acrobat products, to address the recently-discovered Flash vulnerability [CVE-2011-0611].  (This is the same flaw that Adobe patched in Flash Player last Friday.)  Updates are available for the following affected versions of the software:

  • Adobe Reader X (10.0.1) and earlier versions for Windows
  • Adobe Reader X (10.0.2) and earlier versions for Macintosh
  • Adobe Acrobat X (10.0.2) and earlier versions for Windows and Macintosh

Adobe specifically says that Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this vulnerability.  More details are available in the Adobe Security Bulletin [APSB 11-08].

For users of Reader 9.x, the new version is 9.4.4. For users of Reader X (10.x) on Macintosh, the new version is 10.0.3.   Reader X for Windows is not being updated at this time; Adobe says that the Protected Mode feature in that version will keep the exploit from executing.

You can get the new version using the built-in update mechanism (Help > Check for Updates), or you can download the updates manually for Windows or Macintosh  (Intel or PPC). Note that this is an update package, not a complete new installation, so it will not work unless you have the most recent previous version installed.   See the Security Bulletin for  download links to the Acrobat updates.

There is evidence that this vulnerability is being exploited in targeted attacks; I encourage you to update your systems as soon as you can.

Spear Phishing in Tennessee

April 20, 2011

Looking at the evolution of cyber attacks over the years, beginning with the “Morris” Internet worm in 1988, and up to the present, one thing that stands out is the increase in the professionalism of the attacks.   By this, I don’t mean the technical sophistication of the attacks — though that has grown, too — but rather in the overall effectiveness of the operation.  Early attacks were often carried out as a sort of intellectual exercise (as the Morris worm seemingly was), or as pranks by socially- and hygienically-challenged adolescents.  Today, many attacks are part of organized criminal enterprises (to steal credit card numbers, for example), or are at least suspected of being mounted by governments.  More than ever, there is an “arms race” between the attackers and the security people charged with protecting systems.

Even highly sophisticated target organizations have been successfully attacked.  According to a post on the “Threat Level” blog at Wired,  the latest victim of a targeted attack was the Oak Ridge National Laboratory [ORNL], in Tennessee.

The Oak Ridge National Laboratory was forced to disconnect internet access for workers on Friday after the federal facility was hacked, and administrators discovered data being siphoned from a server.

The attack was an instance of “spear phishing“.  Phishing is a general term for attacks that attempt, often via E-mail, to elicit personal information (e.g.,  credit card numbers, bank account details, or passwords) from users under false colors.  Spear phishing is used to describe attacks that are targeted at particular individuals or groups (often, employees of a given organization).   The ORNL attack was a fairly standard example.

According to [Thomas] Zacharia [deputy director of ORNL], the intrusion came in the form of a spear-phishing email sent to lab employees on April 7. The e-mail, purportedly sent from the human resources department, discussed employee benefits and included a link to a malicious web page, where malware exploited the IE vulnerability to download additional code to users’ machines.

The IE vulnerability used was patched by Microsoft on April 12 [MS11-018]; this incidentally highlights that today’s attackers typically need only a short window of opportunity to mount a successful attack.   The E-mail message was sent to slightly more than 10% of the lab’s ~5,000 staff, and only 57 clicked on the link, but that was enough for the malware payload to install itself and gain a foothold on ORNL’s network.

The lab says that only a “few megabytes” of data were successfully extracted by the attackers; however, the incident is undoubtedly embarrassing, given that cyber security is one of the lab’s specialties.

The lab’s science and technology research includes work on nuclear nonproliferation and isotope production. The lab, ironically, also does cybersecurity research focusing on, among other things, researching malware and vulnerabilities in software and hardware as well as phishing attacks.

The incident is still being investigated.

YouTube Will Serve Up WebM Video

April 20, 2011

I’ve posted a couple of articles here about Google’s WebM project to create an open Web video standard, one unencumbered by patents.  Google appears to have been making steady, if unexceptional, progress on the project.

Google, of course, owns one of the Internet’s major video sites: YouTube, which has been making WebM versions of some recently uploaded content available.  Now, in a post at the official YouTube Blog, the company has announced that it is in the process of making all of its video content available in the WebM format; this is, obviously, a very considerable project.

Transcoding all new video uploads into WebM is an important first step, and we’re also working to transcode our entire video catalog to WebM. Given the massive size of our catalog – nearly 6 years of video is uploaded to YouTube every day – this is quite the undertaking. So far we’ve already transcoded videos that make up 99% of views on the site or nearly 30% of all videos into WebM.

Google is one of the few firms in the world with the computing infrastructure to undertake this sort of job as a sort of background task.  It enables them to shift processing resources in response to user demand.

It works like this: at busy upload times, our processing power is dedicated to new uploads, and at less busy times, our cloud will automatically switch some of our processing to encode older videos into WebM.

Google also says that it will continue to support the H.264 codec, as well as an HTML 5 video player now under development.  (H.264 is covered by patents, and subject to royalties, at least potentially.)  Even with Google’s resources, transcoding the entire YouTube video inventory is a sizable undertaking.  It is another indication that they are very serious about WebM.

PJ Bows Out

April 19, 2011

A little over a week ago, on Saturday, April 9, there was a message posted at the Groklaw blog, which in a small way marks the end of an era.  The message was posted by Pamela Jones, known affectionately to many of us as PJ, the founder of the site back in 2003, and editor and prime mover ever since.  PJ announced that she would stop publishing new material on Monday, May 16, because the original impetus behind the site, the lawsuit brought by SCO Group v. IBM over Linux, is now essentially a dead letter.

I have decided that Groklaw will stop publishing new articles on our anniversary, May 16.

I know a lot of you will be unhappy to hear it, so let me briefly explain, because my decision is made and it’s firm. In a simple sentence, the reason is this: the crisis SCO initiated over Linux is over, and Linux won. SCO as we knew it is no more.

In that lawsuit, SCO sought damages of $2 billion from IBM, on the grounds that IBM’s distribution of the open-source Linux operating system violated SCO’s intellectual property rights in UNIX, which it had acquired after a series of transactions.  (Groklaw has an “SCO Overview” page that links to articles on different aspects of this complex proceeding.  There is also a summary of SCO v. IBM, the core of the saga, although it ultimately involved many other players, including AutoZone, Red Hat, Daimler-Chrysler, Novell, and Microsoft, among others.)

Many of us who have been involved in some way with the open-source community, and with Linux in particular, felt that the suit was groundless, but were not really familiar with the applicable laws and legal procedures relevant to this type of action.  Although IBM certainly has extensive legal resources (and it seemed in that sense crazy for SCO to take on IBM), the history of UNIX itself is sufficiently complicated¹ that lawyers without a technical background would find the going difficult.   PJ, who was an experienced paralegal, started Groklaw to provide a forum for the techies and lawyers to put their heads together.  (The first part of the name, “Grok”, is from Robert Heinlein’s classic science fiction novel, Stranger in a Strange Land, where it is introduced as a Martian term meaning to understand deeply.)   Despite personal attacks from SCO and some of its shills, PJ persevered, providing along the way an enormous amount of lucid explanation of how the legal process was unfolding.

The result has been truly impressive: the Groklaw site lays out, in detail and together with supporting documents, the whole history of SCO v IBM and all the related legal action.   It is the first instance I know of where the collaboration methods of open-source software were used to analyze a legal case.  PJ and Groklaw richly deserved the Free Software Foundation’s Free Software Award that it won in 2008.  I am very glad to say that, although new articles will not be added after mid-May, the site itself will continue in existence.  If you are interested at all in this area, it is a resource well worth your time to explore.

Bruce Byfield also has a “Eulogy for Groklaw” article at Linux Pro magazine.


¹ I have posted a couple of previous articles on UNIX history.  For those who are interested in more detail, Groklaw has a copy of Dr. Peter Salus’s excellent book, The Daemon, the GNU, and the Penguin, which relates this history and its relation to the development of Linux as a “work-alike” system.  The book is also available in softcover, published by Reed Media Services, ISBN 097903423X.

Oracle to Make OpenOffice Community-Based

April 18, 2011

Back in September of last year, I posted a note here about the fork of the productivity suite development, and the establishment of the non-profit Document Foundation and its associated LibreOffice project.   The OpenOffice suite, which began life as StarOffice, a product of the German software developer Star Division, was acquired by Sun Microsystems in 1999, and subsequently by Oracle as part of its acquisition of Sun.  Much of the impetus for the split came from widespread suspicion of Oracle’s committment to maintaining the quite as an open-source project.  Many organizations from the open-source world, including influential Linux distributions like Ubuntu, have switched to LibreOffice as their base office suite.

Now, according to an Oracle press release at MarketWire, Oracle has decided to turn OpenOffice back into a fully community-based, open-source project.  Oracle will, apparently, no  longer offer a commercial version of OpenOffice.

“Given the breadth of interest in free personal productivity applications and the rapid evolution of personal computing technologies, we believe the project would be best managed by an organization focused on serving that broad constituency on a non-commercial basis,” said Edward Screven, Oracle’s Chief Corporate Architect.

Oracle has said that it remains committed to support of the Open Document format [ISO/IEC 26300] standard.  The company also has a blog post on this announcement.

Update Monday, 18 April, 22:45 EDT

There is also an article at Ars Technica on Oracle’s announcement, which gives some of the background, and also points out that Oracle’s insistence on maintaining complete control of the project may have helped boost LibreOffice.

The community defections eventually made OOo financially untenable for Oracle, which is why the company has finally thrown in the towel. Oracle says that it is ready to hand over control of the project to the community, but doing so at this point would be little more than a symbolic gesture; the community has already moved on of its own accord.

Oracle now has little choice but to abandon its commercial ambitions for OOo because the growing momentum of the more inclusive LibreOffice fork is making OOo irrelevant.

When the Document Foundation was launched, the group’s leaders invited Oracle to participate, an idea the company rejected.

Watson’s Technology Used for Neonatal Care

April 17, 2011

Earlier this year, I wrote a number of posts here about IBM’s Watson project, to build a computer system that could compete on the popular TV game show, Jeopardy!.   Now, according to an article at Technology Review, a system using some of the same technology in Watson is being deployed to assist in caring for infants in a neonatal ICU at a hospital in Toronto.  Dr. Carolyn McGregor, an associate professor at the University of Ontario Institute of Technology, says that the system attempts to interpret and analyze a constant stream of information produced by monitoring equipment in the ICU.

McGregor leads a project that has developed software to ensure that no scrap of that data goes to waste. At the neonatal ICU of the Hospital for Sick Children in Toronto, that software, dubbed Artemis, collects data from eight infant beds. The system can monitor the baby’s electrocardiogram, heart rate, breathing rate, blood oxygen level, temperature, and blood pressure. It can also access data from medical records, such as the baby’s birth weight. McGregor and colleagues are developing algorithms that use those signals to spot signs of hospital-borne infection before doctors and nurses do.

The conventional method of monitoring the  infants’ condition is to record data from the monitors periodically. This, according to the article, tends to a high false-positive rate in infection diagnosis; one might surmise that this stems from an excess of caution, because the medical staff knows that a short-term symptom might be missed.

“The processing paradigms we had before just didn’t fit with the kind of streaming data we are dealing with,” says McGregor. Software has traditionally performed analysis by systematically scouring a fixed, well-organized store of data, like a person navigating the stacks of a library, she explains.

The system uses an IBM technology called InfoSphere Streams, that allows parallel processing of several concurrent sources or “streams” of data.  Just as the Watson system was able to launch many concurrent analytical algorithms to  seek the answer for a single Jeopardy! clue, the Artemis system  can deal with the parallel data streams produced by the range of medical monitors.  Although the system is being tested on a small scale now, the hope is that the technology can be developed into a remote diagnostic resource for ICUs in many places.

IBM is also continuing work on other projects to deploy the lessons learned from Watson to medical diagnosis.

Although there will undoubtedly be many kinks to be worked out along the way, I have a feeling that systems like Artemis, and Watson, are going to become much more common in the near future.  As I’ve noted before, there have been significant improvements in machine translation, stemming from the adoption of more empirically and statistically based approaches, and less emphasis on trying to specify a complete set of formal language rules in advance.  Likewise, I suspect that we will begin to build what we might regard as truly intelligent systems, when they start working more like real brains seem to work.

Adobe Updates Flash Player

April 15, 2011

As Adobe indicated earlier this week, they have now released an updated version of their Flash Player, which addresses the recently-discovered security vulnerability.   The new version of the player,, is available for Mac OS X, Linux, Windows, and Solaris.  (Users of the Google Chrome browser should note that this update in incorporated in the new version of Chrome, released yesterday.)

More information on the update is available in the Adobe Product Security Bulletin [APSB 11-07]. (This bulletin also applies to Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux.)  Adobe has also updated the Security Advisory [APSA 11-02] to reflect this new information.

You can obtain the new version of Flash Player from the Adobe Download Center; alternatively, Windows users can the auto-update mechanism within the product.

Flash Player is a very popular attack vector for the Bad Guys; I recommend that you install this update as soon as you conveniently can.

%d bloggers like this: