Yet Another Flash Player Patch

Today Adobe released another update to its ubiquitous Flash Player for all platforms (Windows, Linux, Mac OS X) to address what it says are critical security vulnerabilities. The update addresses two identified vulnerabilities (CVE-2013-0643 and CVE-2013-0648); an attacker who exploited these vulnerabilities might cause a system crash, or be able to take control of the affected system.

According to Adobe’s Security Bulletin [APSB13-08], the following versions of the software are vulnerable:

• Adobe Flash Player 11.6.602.168 and earlier versions for Windows
• Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh
• Adobe Flash Player 11.2.202.270  and earlier versions for Linux

For Mac OS X, Linux, or Windows systems, you can check the version of Flash Player that you are using by visiting Adobe’s About Flash Player page.  The new version for Mac OS X and Windows is 11.6.602.171; for Linux, the new version is 11.2.202.273.  (Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.)   The Flash Player bundled with Google Chrome will be automatically updated to version 11.6.602.171.

There are reports that these vulnerabilities are being actively exploited, primarily in attacks against the Firefox browser running on Windows systems.  The exploit attempts to trick the user into visiting a Web site with malicious Flash content.  Because of this, and because Flash Player has always been an attractive target for the Bad Guys, I recommend that you  update your systems as soon as you conveniently can.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.

Ars Technica has a brief article on this update, which is the third for Flash Player this month.

DEET Resistant Mosquitoes

Most readers, I’m sure, are aware that mosquitoes are a transmission vector for a number of rather nasty diseases, including malaria, yellow fever, equine encephalitis, and dengue fever.  The standard advice, in regions where mosquitoes are common, is to keep one’s skin covered, to the extent possible, and to use insect repellent liberally.  One of the most common active ingredients in repellents is a chemical usually referred to as DEET (more formally as N,N-Diethyl-meta-toluamide or [IUPAC] N,N-Diethyl-3-methylbenzamide), an oily compound originally developed by the US military after the experience of jungle warfare in World War II.   Various ideas have been suggested to explain why DEET works; today, the consensus seems to be that insects just don’t like the smell.

However, a report at the BBC News site suggests that DEET’s effectiveness can be reduced because mosquitoes can adapt to it.  One type of adaptation is genetic.  There are always some individual insects that are less susceptible to DEET than average, and heavy use of the repellent creates evolutionary selection pressure favoring that lack of sensitivity.  (This is parallel to the evolutionary process leading to the development of antibiotic-resistant bacteria, or of herbicide-resistant weeds.)   This is a process that takes some time to occur, though mosquito generations are of short duration.

Some recent research indicates that there is another, shorter-term form of resistance that occurs.  Researchers at the London School of Hygiene and Tropical Medicine studied the effect of DEET on Aedes aegypti mosquitoes, which carry dengue and yellow fevers.  The mosquitoes were initially given the opportunity to feed from a human arm which had been covered with DEET; the repellent did, in fact, repel them.  However, when the same mosquitoes were presented with the same opportunity a few hours later, the repellent was significantly less effective.

To try to understand what was happening, the researchers measured electrical activity in the insects’ antennae (the location of the olfactory receptors).  Somehow, the first exposure to DEET de-sensitized the mosquitoes, so that their olfactory response was diminished.  According to Dr. James Logan,

We were able to record the response of the receptors on the antenna to DEET, and what we found was the mosquitoes were no longer as sensitive to the chemical, so they weren’t picking it up as well.

There is something about being exposed to the chemical that first time that changes their olfactory system – changes their sense of smell – and their ability to smell DEET, which makes it less effective.

The research paper [PDF available] has been published at the Public Library of Science, in the journal PLoS One.

More work will be needed to determine how long this short-term effect lasts, and whether it occurs in other species of mosquito.   Using repellents containing DEET is still a lot better than using nothing, but understanding these effects may help us develop even more effective protection.

White House Endorses Open Access Research

For a few years no, there has been a growing movement in the research and academic world to provide free or low-cost access to research results.  Traditionally, these results have been under the control of the publishers of academic journals, which charge high annual subscription fees; when access to an individual article is available, it commonly costs $30-40 or more.  I’ve written here several times about the growing trend among organizations, including The Royal Society, Princeton University, the World Bank, and the National Academies Press, to make some or all of their content available at no charge on the Web.   Last summer, the Research Councils UK announced a new open-access policy that applies to all research that they fund, wholly or in part, effective April 2013; this was in part the result of a British government policy decision that all publicly-funded research should be made available online, free of charge.

The US government, of course, provides funding for a great deal of research, too, and there have been increasing calls to make the results of that research freely available, including a petition, on the “We the People” section of the White House web site, which attracted 65,704 signatures.  On Friday, the administration released a response from Dr. John Holdren, Assistant to the President for Science and Technology and Director of the White House Office of Science and Technology Policy, which announced a move toward open access:

The Obama Administration agrees that citizens deserve easy access to the results of research their tax dollars have paid for.

Details of the new policy are contained in a memorandum [PDF] to Federal agencies, directing those with R&D budgets of more than $100 million to develop plans under which all research will be made available to the public, free of charge, within 12 months of original publication.  This approach is modeled on the existing Public Access Policy of the National Institutes of Health (NIH).  Individual agencies need not copy the NIH policy exactly; they are allowed, in principle, to make adjustments to fit their particular fields of research.  And there will be the customary exemptions for national security and other sensitive areas.

We should probably expect a certain amount of squabbling over the details of these policies; after all, the journal publishers have a vested economic interest in the status quo.   There have already been some complaints that the announcement does not go far enough toward completely open access, and doubtless there will be more.  As with any new policy, the odds are that the initial implementation will fall short of perfection.  Yet I think that, on the whole, this is a very positive step.  Once open access to even a part of the research results is granted, it will be very difficult to go back.

Expired Certificate Hoses Microsoft’s Cloud Service

Yesterday, at around 3:45 PM EST, users of Microsoft’s Azure cloud computing platform began to experience problems world-wide.   The    problem apparently stemmed from an SSL certificate that had expired.  The certificate was used by Azure storage service, and the problem had knock-on effects on other Azure services as well.   The following message was posted on the Windows Azure Service Dashboard:

On Friday, February 22 at 12:44 PM PST, Storage experienced a worldwide outage impacting HTTPS traffic due to an expired SSL certificate. This did not impact HTTP traffic.

At the time I’m writing this, about 14:25 EST on Saturday, February 23, the Dashboard is still showing “Storage service degradation” across all regions.   The most recent status update says:

We have executed repair steps to update SSL certificate on the impacted clusters and have recovered to over 99% availability across all sub-regions. We will continue monitoring the health of the Storage service and SSL traffic for the next 24 hrs. Customers may experience intermittent failures during this period.

Although there are many systems that have enviable records of reliability, occasional service outages are still something to be expected and planned for.  In some cases, such as a natural disaster, it is possible to have considerable sympathy for the systems’ operators; forecasting rare events is difficult almost by definition (we assume the future will be like the past, because in the past, the future has been like the past).

It’s difficult for me to work up a lot of sympathy in this case, however.  SSL cryptographic certificates have a well-defined expiration date.  In addition, the certificate in question appears to have been issued by “Microsoft Secure Server Authority”; in other words, Microsoft was unable to get a timely renewal of the certificate from itself.  If I were a customer of the Azure service, I would not be too happy right now.

Google Releases Chrome 25

Google today released version 25 of its Chrome browser; for Windows and Linux, the new version number is 25.0.1364.97, and for Mac OS X it is 25.0.1364.99.  The new version incorporates some new features, including:

• Support for the JavaScript Web Speech API
• Better WebGL error handling
• Better support for HTML 5 date/time inputs
• Improved management and security for extensions, so that extensions cannot be installed without the user’s consent

The new release also includes fixes for 22 identified security vulnerabilities; Google categorizes 9 of these as High severity, 8 as Medium, and 5 as Low.  In addition, MathML is disabled by default, to address another serious security flaw.  More information is available in the Release Announcement.

Because of the security content of this release, I recommend that you update your systems as soon as you conveniently can.   Windows and Mac users can get the new version via the built-in update mechanism; Linux users should check their distribution’s repositories for the new version.

Mozilla Releases Thunderbird 17.0.3

In addition to the release of Firefox 19.0 yesterday, Mozilla has released version 17.0.3 of its Thunderbird E-mail client, for Linux, Mac OS X, and Windows.   This release corrects eight security vulnerabilities, four of which are rated Critical.  (These are the same vulnerabilities that were fixed in Firefox 19.0.  The two packages share a significant amount of code.)  A bug with handling attachments in the message composition window was also fixed.  More information is available in the Release Notes.

Because of the security fixes incorporated in this release, I recommend that you update your systems as soon as you conveniently can.  You can use the update mechanism built into the software (Help / About Thunderbird / Check for Updates), or you can get a complete installation package, in a variety of languages, from the Thunderbird download page.