Adobe to Patch Reader, Acrobat

February 18, 2013

Last week, Adobe issued a Security Advisory (APSA13-02) for its Acrobat and Reader software for Windows, Linux, and Mac OS X.  The advisory concerns two newly-discovered security vulnerabilities in the software (CVE numbers are in the Security Advisory).  According to Adobe, the affected versions of the software are:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

There is some evidence that the vulnerabilities are being exploited, principally by E-mails that attempt to trick Windows users into opening a malicious PDF document.

According to a post on the Product Security Incident Response Team (APSIRT) blog, Adobe plans to release  security updates for the affected software this week.  I will post a note here when the patches are available.

In the meantime, those who are using Reader XI and Acrobat XI for Windows can mitigate the risk from these flaws by enabling “Protected View” (see the Security Advisory for details).  In any case, you should always be very wary of opening any E-mail attachments unless you are sure they are legitimate.

Fixing Forensic Science

February 18, 2013

If you are a fan of television shows like CSI or NCIS, you know that, at least in that world, forensic science always produces conclusive evidence that helps catch the bad guys.  The reality, as is so often and tediously the case, is a bit messier.  Many of the forensic techniques that are used were developed originally to aid investigation; collecting rigorous evidence of their validity was a distinctly secondary concern.  Many crime labs are controlled by law enforcement agencies, hardly a motivating force for impartial science.  I’ve written here before about some of the problems with fingerprint evidence, with biometrics in general, and even with DNA evidence, regarded in both the TV and real worlds as the “gold standard” of forensic science.

Many of these problems stem from two basic causes:

  • The validity of the evidence in question is ultimately based on a statistical analysis; that is, we may be able to say that the odds are 100 to 1 that a given DNA sample matches the DNA from a particular person.   The underlying statistical analysis is sometimes not as good as it should be, and is also often not disclosed completely.  It should be obvious that it is no more possible to prove that fingerprints are unique than it is to prove that no two snowflakes are alike.
  • Even if the basic analysis is sound, the evidence has to be collected and analyzed by people.  Often, what is collected is imperfect; smeared or partial fingerprints from a crime scene are not as easily classified as the illustrations in the textbooks.  Ordinary blunders can occur, too: evidence may be contaminated, mislabeled, or lost.

Though some suggestions have been made to improve the underlying statistical analysis (as I mentioned in some of those earlier posts), making progress on them has been incomplete, at best.  In any case, the propensity of people to make mistakes is not likely to disappear.

Thus I think it is good news that, as the Washington Post reported in an article this weekend, that the federal government will set up a new National Commission on Forensic Science to guide improvements in forensic science practice, with technical assistance provided by the National Institute of Standards and Technology (NIST).

The new 30-member commission will be co-chaired by Justice Department and NIST officials. It will include forensic scientists, researchers, prosecutors, defense attorneys and judges, and will meet several times a year as a federal advisory committee subject to open government requirements.

The initiative may also lead to replacement or reorganization of some of the ad hoc groups of practitioners that act as informal governing bodies for forensic work.

This step is one that should be welcomed by anyone who wants the criminal justice system to be as fair as possible.  Back in 2009, the National Research Council published a report critical of the current state of forensic science in the US.

It is clear that change and advancements, both systematic and scientific, are needed in a number of forensic science disciplines to ensure the reliability of work, establish enforceable standards, and promote best practices with consistent application.

As the report says, there are many talented, dedicated people doing excellent work in forensic science.  They, and the others affected by this work, deserve to have adequate resources and research to draw upon.

%d bloggers like this: