Microsoft Re-Issues Security Bulletin MS12-078

December 21, 2012

Microsoft originally released security bulletin MS12-078 as part of its regular monthly patch bundle on Tuesday, December 11.   The bulletin, rated as Critical severity, addressed a flaw in the handling of TrueType or OpenType font files by kernel-mode drivers in Windows.  The bulletin included two patches, identified by Microsoft Knowledge Base numbers KB2753842 and KB2779030.

Microsoft has now re-issued Security Bulletin MS12-078, including an updated version of the KB2753842 patch.  According to Microsoft, the originally-issued patch does resolve the security vulnerability, but introduces some other problems with the handling of OpenType fonts.

Microsoft re-released this bulletin to address a known issue in the KB2753842 update related to OpenType Fonts (OTF) not properly rendering in applications after the original update was applied. Customers who have successfully installed the original KB2753842 update are protected from the vulnerability described in CVE-2012-2556. However, customers need to install the rereleased KB2753842 update to resolve the issue with improper OpenType font rendering and to keep the affected binaries up to date.

Download links for the patches are given in the updated Security Bulletin.  I do suggest that you apply the updated patch, even if you applied the original version; having old, slightly odd versions of system software hanging around is asking for trouble.

HTML 5 Now “Feature Complete”

December 20, 2012

Earlier this week, the World Wide Web Consortium [W3C] announced that the definition of HTML 5  and the accompanying Canvas 2D graphics specification are now “feature complete”.

The World Wide Web Consortium (W3C) published today the complete definition of the HTML5 and Canvas 2D specifications. Though not yet W3C standards, these specifications are now feature complete, meaning businesses and developers have a stable target for implementation and planning.

This means that the set of capabilities to be provided is now, essentially, frozen.  These definitions are not yet official Web standards, but they now have “Candidate Recommendation” status; the focus of work going forward will be on testing and checking inter-operability.  Web developers would, ideally, like to have a set of standards that is implemented equally in all browsers.  Having a feature-complete standard means that all the browser makers have a common target to aim for.

During this stage, the W3C HTML Working Group will conduct a variety of activities to ensure that the specifications may be implemented compatibly across browsers, authoring tools, email clients, servers, content management systems, and other Web tools. The group will analyze current HTML5 implementations, establish priorities for test development, and work with the community to develop those tests.

Innovation and creativity on the part of browser makers has helped drive the development of the Web; having standards helps avoid a chaotic mess of incompatible implementations.

Google Updates Chrome for Mac

December 17, 2012

Google has released a new version, 23.0.1271.101 , of its Chrome browser for Mac OS X.  According to the Release Announcement, this fixes a Mac-specific bug in audio processing.  You should get the new version via the built-in update mechanism.

Ken Jennings v. Lore

December 16, 2012

In the course of writing this blog, I’ve referred to articles from quite a few different publications.  Until now, though, I have not referenced Parade magazine — the color supplement that comes in the advertising package with the Sunday Washington Post, and other papers.  It is not, frankly, a publication that I expected to be citing.  But this week, Parade has an article by Ken Jennings, the Jeopardy! game show champion†, addressing, and debunking, some hoary chestnuts of folk wisdom, the kind I refer to as “lore”, that parents often tell their children, without necessarily wondering whether or not they are true.  As Jennings puts it:

That’s the dirty secret of parenting: It’s a big game of Telephone, stretching back through the centuries and delivering garbled, though well-intentioned, medieval bromides to the present.

[“Telephone” is the American name for the game called “Chinese Whispers” in the UK.]

I suspect most readers will have heard most of these precepts at one time or another:

  1. “Stay away from the poinsettia! The leaves are poisonous.”
  2.  “No swimming for an hour after lunch. You’ll cramp up.”
  3. “When you start shaving, the hair will grow in thicker.”
  4. “Don’t eat snow—it’ll make you sick!”
  5. “Drink eight 8-ounce glasses of water a day.”
  6. “It’s too dark in here. You’ll hurt your eyes.”
  7. “You are a special little snowflake.”
  8. “You need hydrogen peroxide on that.”
  9. “Take off the Band-Aid to let your cut air out.”
  10. “Don’t cross your eyes—they’ll get stuck like that!”
  11. “No soda! The sugar makes you hyper.”
  12. “Don’t wake a sleepwalker.”
  13. “Most of your body heat escapes through your head!”
  14. “You’re not fat. You’re just big-boned.”
  15. “If you pick up a baby bird, its mommy will reject it.”

Some of these, such as numbers 3 and 7, are just more or less harmless nonsense.  Others — number 12, on sleepwalking, is an example — embody basically correct conclusions for the wrong reasons.  (In this, they resemble the frequently given advice to get into a car in a lightning storm.)  Others are just nonsense from top to bottom.

For example, I have heard many people express their belief in number 5, the idea that one needs to drink eight 8-ounce glasses of water every day.  As Jennings points out, many of these people have lost sight of the considerable amount of water that we take in every day in the form of food.   I’ve also heard the advice, mentioned in the article, that liquids like coffee or beer, don’t count, because the caffeine or alcohol acts as a diuretic.  At some level, this is true: if you drink a quart of straight whisky at one sitting, you probably will get a bit dehydrated, among other things.  On the other hand, the effect does have something to do with relative amounts: if I put one teaspoon of whisky, or coffee, into ten gallons of water, I am quite confident that you can drink as much of the resulting mixture as you want with no risk of dehydration.

One might argue that none of these adages is especially pernicious, so little harm is done.  But getting people to behave rationally, even once in a while, seems to be hard.  Reinforcement of irrational thinking is hardly constructive.

As Kin Hubbard said, “Tain’t what a man don’t know that hurts him; it’s what he knows that just ain’t so. ”


† Ken Jennings is a champion of the TV game show, Jeopardy!, who won more consecutive games (74) than any other player.  He was also one of the two human players involved in the Jeopardy! challenge match with IBM’s Watson computer system.

HVAC Hacking

December 15, 2012

I’ve written here a couple of times about some of the security issues associates with industrial control systems, sometimes called SCADA systems (for supervisory control and data acquisition).  These systems, which are used to control the electrical power grid, air traffic, telecommunications, and many other bits of infrastructure, are often connected to the Internet, though some of them were designed for an era of private networking.  Even those systems developed more recently may carry a legacy of design assumptions and implementation techniques that leads to exploitable security vulnerabilities.   The Stuxnet worm, which damaged nuclear centrifuge facilities in Iran, is perhaps the most notable recent example of an exploit.

The Stuxnet worm attacked control systems made by Siemens, but there are many vendors of these systems.  Ars Technica reports an attack against a heating, ventilation, and air conditioning (HVAC) control system in New Jersey.  The information was obtained from an unclassified FBI memorandum [PDF], published by the Public Intelligence web site.

Hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.

The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney’s Office, and the Internal Revenue Service, among many others.

The systems in question apparently contain a network interface that provides direct access to a GUI administrative application, giving the same access as a logged-in system administrator, without requiring a password.  In effect, the only information needed to take control of the system was the IP address (or a URL that points to it) of the Niagara system.  At the New Jersey firm, and apparently at numerous other places, the system was connected directly to the Internet without a firewall.   Subsequent to the start of the attacks against the New Jersey firm, the vendor, Tridium, and ICS-CERT released two advisories [PDFs] on vulnerabilities in the Niagara system.  According to Tridium, more than 300,000 Niagara control systems are installed world-wide; a search by Ars Technica turned up more than 20,000 connected to the Internet.

As I’ve said before, many systems of this type got there start back in the days before ubiquitous Internet connections, and were originally designed with private, controlled networks in mind.  (Having said that, it is hard to understand how anyone, regardless of circumstances, could think that a completely open administrative interface was a good idea.)  As the article points out, connecting these systems to the Internet provides considerable convenience to their operators:

The incident underscores the prevalence of industrial control systems that are connected to the Internet. Security consultants have long considered the practice to be unsafe. Sadly, they say, the convenience of IT employees get from being able to administer those systems from home or other remote locations often trumps security concerns.

Getting that convenience by means of an Internet connection is cheap, in terms of out-of-pocket costs today, but the longer-term bill might be sizable.  I hope it does not take a disaster to get people’s attention.

IBM Announces Silicon Nanophotonics

December 12, 2012

One of the significant trends in recent computer system design has been the growing use of large-scale parallel processing.  From multiple-core CPUs in PCs to massively parallel systems like Titan at Oak Ridge National Laboratory, currently the world’s fastest supercomputer, and IBM’s Watson system, which won a convincing victory in a challenge match on Jeopardy!, the use of multiple processors has become the technique of choice for getting more processing horsepower.

These systems have achieved impressive levels of performance, but their design has its tricky aspects.  If the collection of processors is to work as one system, there obviously must be some mechanism for communication among them.  In practice, the capacity and speed of these interconnections can limit a system’s potential performance.  Even fiber-optic interconnections can be cumbersome with current technology: at each end, electrical signals must be converted to light pulses, and vice versa, by specialized hardware.

On Monday, IBM announced a new product technology that has the potential to remove some of these bottlenecks.   Building on research work originally described by IBM at the Tokyo SEMICON 2010 conference [presentation PDF], the Silicon Integrated Nanophotonics technology allows the fabrication of a single silicon chip containing both electrical (transistors, capacitors, resistors) and optical (waveguides, photodetectors) elements.

The technology breakthrough allows the integration of different optical components side-by-side with electrical circuits on a single silicon chip, for the first time, in standard 90nm semiconductor fabrication. The new features of the technology include a variety of silicon nanophotonics components, such as modulators, germanium photodetectors and ultra-compact wavelength-division multiplexers to be integrated with high-performance analog and digital CMOS circuitry.

IBM says that the technology allows a single nanophotonic transceiver to transfer data at 25 gigabits per second.  A single chip might incorporate several transceivers, allowing speeds in the terabit per second range, orders of magnitude faster than current interconnect technology.

Probably the more significant aspect of the announcement is that IBM has developed a method of producing these nanophotonic chips using a standard 90 nanometer semiconductor fabrication process.  Although I have not seen any specific figures, this has the potential to provide significantly faster and cheaper interconnections than current technology.

The initial deployments of the technology will probably be in large data centers, supercomputers, and cloud services.  However, if IBM has truly licked the manufacturing problem, there is no reason that the benefits should not, in time, “trickle down” to more everyday devices.

Ars Technica has an article on this announcement.

%d bloggers like this: