Mozilla Releases Firefox 19

February 19, 2013

The Mozilla organization released a new major version, 19.0, of its Firefox Web browser, for Linux, Mac OS X, and Windows.  In addition to the customary updates to the Gecko rendering engine in a major release, this version incorporates several new features and improvements.  Probably the most significant change for most users is the inclusion of the new, built-in PDF viewer.  (The plan to include a viewer was first discussed back in October, 2011.)  Other significant changes include:

  • Improved start-up performance
  • Better HTML 5 support for cascading style sheet (CSS) capabilities
  • Fixes to bugs in WebGL processing, plug-in rendering, and private mode startup
  • Fixes for eight identified security vulnerabilities, four of which are rated Critical

Further information is available from the Release Notes.

You can get the new version using the update mechanism built into the browser, either automatically or via Help / About Firefox / Check for Updates.  Alternatively, you can get a complete installation package, available in more the 70 languages, from the download page.

Update Wednesday, 20 February, 14:53 EST

The “Webmonkey” blog at Wired has a short article on the new version of Firefox.

Adobe to Patch Reader, Acrobat

February 18, 2013

Last week, Adobe issued a Security Advisory (APSA13-02) for its Acrobat and Reader software for Windows, Linux, and Mac OS X.  The advisory concerns two newly-discovered security vulnerabilities in the software (CVE numbers are in the Security Advisory).  According to Adobe, the affected versions of the software are:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

There is some evidence that the vulnerabilities are being exploited, principally by E-mails that attempt to trick Windows users into opening a malicious PDF document.

According to a post on the Product Security Incident Response Team (APSIRT) blog, Adobe plans to release  security updates for the affected software this week.  I will post a note here when the patches are available.

In the meantime, those who are using Reader XI and Acrobat XI for Windows can mitigate the risk from these flaws by enabling “Protected View” (see the Security Advisory for details).  In any case, you should always be very wary of opening any E-mail attachments unless you are sure they are legitimate.

Fixing Forensic Science

February 18, 2013

If you are a fan of television shows like CSI or NCIS, you know that, at least in that world, forensic science always produces conclusive evidence that helps catch the bad guys.  The reality, as is so often and tediously the case, is a bit messier.  Many of the forensic techniques that are used were developed originally to aid investigation; collecting rigorous evidence of their validity was a distinctly secondary concern.  Many crime labs are controlled by law enforcement agencies, hardly a motivating force for impartial science.  I’ve written here before about some of the problems with fingerprint evidence, with biometrics in general, and even with DNA evidence, regarded in both the TV and real worlds as the “gold standard” of forensic science.

Many of these problems stem from two basic causes:

  • The validity of the evidence in question is ultimately based on a statistical analysis; that is, we may be able to say that the odds are 100 to 1 that a given DNA sample matches the DNA from a particular person.   The underlying statistical analysis is sometimes not as good as it should be, and is also often not disclosed completely.  It should be obvious that it is no more possible to prove that fingerprints are unique than it is to prove that no two snowflakes are alike.
  • Even if the basic analysis is sound, the evidence has to be collected and analyzed by people.  Often, what is collected is imperfect; smeared or partial fingerprints from a crime scene are not as easily classified as the illustrations in the textbooks.  Ordinary blunders can occur, too: evidence may be contaminated, mislabeled, or lost.

Though some suggestions have been made to improve the underlying statistical analysis (as I mentioned in some of those earlier posts), making progress on them has been incomplete, at best.  In any case, the propensity of people to make mistakes is not likely to disappear.

Thus I think it is good news that, as the Washington Post reported in an article this weekend, that the federal government will set up a new National Commission on Forensic Science to guide improvements in forensic science practice, with technical assistance provided by the National Institute of Standards and Technology (NIST).

The new 30-member commission will be co-chaired by Justice Department and NIST officials. It will include forensic scientists, researchers, prosecutors, defense attorneys and judges, and will meet several times a year as a federal advisory committee subject to open government requirements.

The initiative may also lead to replacement or reorganization of some of the ad hoc groups of practitioners that act as informal governing bodies for forensic work.

This step is one that should be welcomed by anyone who wants the criminal justice system to be as fair as possible.  Back in 2009, the National Research Council published a report critical of the current state of forensic science in the US.

It is clear that change and advancements, both systematic and scientific, are needed in a number of forensic science disciplines to ensure the reliability of work, establish enforceable standards, and promote best practices with consistent application.

As the report says, there are many talented, dedicated people doing excellent work in forensic science.  They, and the others affected by this work, deserve to have adequate resources and research to draw upon.

Another Flash Player Security Update

February 12, 2013

Adobe has once again released new versions of its Flash Player for Windows, Mac OS X, Android, and Linux systems.  According to Adobe’s Security Bulletin [APSB13-05], the updates address 17 identified security vulnerabilities in the software (the Security Bulletin gives the CVE identifiers for these).  An attacker exploiting any of these vulnerabilities could cause a crash, and potentially take control of the target system,

According to Adobe, the following versions of the software are affected:

  • Adobe Flash Player 11.5.502.149 and earlier versions for Windows and Macintosh
  • Adobe Flash Player and earlier versions for Linux
  • Adobe Flash Player and earlier versions for Android 4.x
  • Adobe Flash Player and earlier versions for Android 3.x and 2.x
  • Adobe AIR and earlier versions
  • Adobe AIR SDK and earlier versions

For Mac OS X, Linux, or Windows systems, you can check the version of Flash Player that you are using by visiting Adobe’s About Flash Player page.

The new versions are 11.6.602.168 for Windows systems, 11.6.602.167 for Mac systems, and for Linux systems.  (Adobe is no longer providing new Linux versions of Flash Player, but it is still releasing security updates.)   The new version number for the Flash Player bundled with Google’s Chrome browser is 11.6.602.167.  Please see the Security Bulletin for information on Android versions.

Flash Player has always been an attractive target for the Bad Guys, because it is so widely installed across platforms.  Although I have not seen any reports of exploits “in the wild”, I do recommend that you update your systems as soon as you conveniently can.

Windows users who have the silent update option enabled should receive the new version automatically.  Windows or Mac OS X users can get the update using the update mechanism built into the software.  Alternatively, the new version for Windows, Linux, and Mac OS X is available from Adobe’s download page.  Windows users should remember that they may need two updates: one for Internet Explorer, and one for any other browser(s) you may use.

Microsoft Patch Tuesday, February 2013

February 12, 2013

As expected, Microsoft today released its regular monthly batch of security bulletins and associated patches.  This month there are twelve bulletins, addressing 57 identified vulnerabilities.  (An additional bulletin has been added since the preview announcement last Thursday.)  Five bulletins have a Critical severity rating, and seven are rated Important.   Ten of the bulletins are for Windows and its components; every supported version of Windows is affected.  All versions, except for the Server Core installation, have one or more Critical vulnerabilities.

There are also two bulletins that affect Microsoft server software: one, rated Critical, is for Exchange Server, and the other, rated Important, is for the FAST Search Server.

Microsoft says that seven of the Windows bulletins will definitely require a system restart.  The other bulletins may require one, depending on the system’s configuration.

For more detailed information, and download links, please see the Microsoft Security Bulletin Summary for February 2013.

As usual, I recommend applying these patches to your systems as soon as you conveniently can.

Update Tuesday, 12 February, 15:50 EST

The handlers at the SANS Internet Storm Center have posted their usual summary and evaluation of this month’s patches.

Dr. Watson Goes to Work

February 10, 2013

Back in early 2011, I wrote a number of posts here about IBM’s Watson system, which scored a convincing victory over human champions in the long-running TV game show, Jeopardy!.  The match, as a demonstration of the technology, was undoubtedly impressive, but the longer term aim was to employ Watson’s ability to cope with natural language and to assimilate a huge body of data for work in other areas, such as financial services, marketing, and medical diagnosis.  It’s also been suggested that Watson might be made available as a service “in the cloud”.

On Friday, IBM, together with development partners WellPoint, Inc. and Memorial Sloan-Kettering Cancer Center, announced the availability of Watson-based systems for cancer diagnosis and care.

IBM , WellPoint, Inc.,  and Memorial Sloan-Kettering Cancer Center today unveiled the first commercially developed Watson-based cognitive computing breakthroughs.  These innovations stand alone to help transform the quality and speed of care delivered to patients through individualized, evidence based medicine.

Since the beginning of the development, Watson has absorbed more than 600,000 pieces of medical evidence and 2 million pages of text from 42 medical journals.  It has also had thousands of hours of training from clinicians and technology specialists.  The goal is to provide doctors and other care-givers with a menu of treatment options.

Watson has the power to sift through 1.5 million patient records representing decades of cancer treatment history, such as medical records and patient outcomes, and provide to physicians evidence based treatment options all in a matter of seconds.

Keeping up with the latest developments in medical research and clinical practice is a serious issue in health care; by some estimates, the amount of available information doubles every five years.  A system based on Watson may give doctors a better chance of staying on top of all of that.

Three specific products were announced today:

The new products include the Interactive Care Insights for Oncology, powered by Watson, in collaboration with IBM, Memorial Sloan-Kettering and WellPoint.   The WellPoint Interactive Care Guide and Interactive Care Reviewer, powered by Watson, designed for utilization management in collaboration with WellPoint and IBM.

The Watson system has improved technically since its debut on Jeopardy!.  IBM says that its performance has increased by 240%, and its physical resource requirements reduced by 75%.  It can now be run on a single Power 750 server.

There’s more information on the technology at IBM’s Watson site.

Prof. Felten Elected to National Academy of Engineering

February 9, 2013

I’ve mentioned Princeton University’s  Center for Information Technology Policy [CITP] here in a number of posts, on topics ranging from security “Worst Practices” to high-frequency stock trading.  I’ve also mentioned the CITP’s director, Professor Edward Felten, who in addition to his work at the university has also served a term as the Chief Technologist of the US Federal Trade Commission.  The CITP has consistently produced some of the most interesting research on the intersection of public policy and technology, and it has always seemed to me that Prof. Felten’s leadership has been vital to that work.

So I was delighted to see an announcement that Prof. Felten has been elected to the National Academy of Engineering, “for contributions to security of computer systems, and for impact on public policy.”  As the announcement states,

Election to the National Academy of Engineering is among the highest professional distinctions accorded to an engineer. Academy membership honors those who have made outstanding contributions to “engineering research, practice, or education, including, where appropriate, significant contributions to the engineering literature,” and to the “pioneering of new and developing fields of technology, making major advancements in traditional fields of engineering, or developing/implementing innovative approaches to engineering education.”

I have always found Prof. Felten’s work and writing to be consistently interesting and insightful, and congratulate him on a very well deserved honor.

%d bloggers like this: