Tech News Weekly: Edition 50

http://news.cnet.com/8301-1009_3-10119227-83.html
http://www.theregister.co.uk/2008/12/10/ms_patch_tuesday_december/
Microsoft has released its biggest ever patch tuesday update, and includes its new "Exploitability Index" to aid administrators in determining the possibility a vulnerability will be exploited in the wild.

Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.

Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update.

http://arstechnica.com/journals/microsoft.ars/2008/12/10/exploit-for-unpatched-wordpad-ie-flaws-in-the-wild
An exploit is wild for a vulnerability not patched this month, in WordPad. The exploit involves opening a specially crafted word document in WordPad. The exploit is currently spread via email, using a .wri extensions for the document so as to be certain it opens in WordPad and not Word itself.

Yesterday Microsoft released patches for some 28 flaws in Windows, IE, and Office, most of them critical, in the largest ever Patch Tuesday update. The company also issued a bulletin for another critical flaw—but this one didn't receive a patch, and there are exploits in the wild. The flaw is in WordPad; specifically, in WordPad's converter for opening Word 97 documents, which can be made to execute arbitrary code when given a suitably crafted file.

This flaw does not affect all versions of Windows. Windows 2000, XP with Service Pack 2, and Windows Server 2003 (all versions) are affected; however, XP with Service Pack 3 (slightly surprisingly), Vista, and Windows Server 2008 are not. Accordingly, XP SP2 users can therefore protect themselves simply by installing the current Service Pack. Users of other affected systems can disable the flawed component (details are contained within Microsoft's bulletin), or just sit tight to see how the company responds. There is no word yet of an out-of-cycle update, so as things stand it looks like this flaw may not be fixed until the next Patch Tuesday, which will be January 13, 2009.

http://security.blogs.techtarget.com/2008/12/10/security-chief-window-snyder-leaving-mozilla/
Head of security at Mozilla, Window Snyder, is leaving Mozilla to help establish a new start-up venture.

Window Snyder, the head of security at Mozilla, is leaving the company to help found a start-up venture unrelated to security. Snyder has been at Mozilla for more than two years and has been the driving force behind the company’s effort to make security a top priority in its popular Firefox browser.

 Snyder’s departure is a blow to Mozilla, a small organization that counts on participation from the open-source community for much of its work. Snyder has helped raise the company’s profile in the security community and made transparency about security issues a key initiative. The company currently is working on a  security metrics project with security analyst Rich Mogull of Securosis that is designed to measure the relative security of Firefox in a number of different ways.

http://arstechnica.com/news.ars/post/20081208-computer-scientists-find-audio-captchas-easy-to-crack.html
Audible CAPTCHAs may be next on the menu for those attemping to automate signing up to online services as they're apparently easier to crack than their well developed image-based cousins.

The Carnegie-Mellon University team behind the reCAPTCHA service is continuing to expand its effort to mix basic security and useful work. CAPTCHAs are the distorted text that helps various online services ensure that the entity opening an account is a human, not a bot bent on using the service to dish out spam. The reCAPTCHA service puts the mental horsepower need to interpret these images to good use, harnessing it to identify text in scanned books where OCR software has failed. Now, the team has turned its attention to the audio CAPTCHAs used by the visually impaired.

Audio CAPTCHAs consist of a string of spoken characters, typically masked and distorted by a form of background noise. To start with, the researchers looked into the security of existing audio CAPTCHAs used by Google and Digg. In a paper that will be presented later this week at the Neural Information Processing Systems Conference, the authors demonstrate that these are relatively easy to crack.

http://www.schneier.com/blog/archives/2008/12/more_sha-3_news.html
NIST has officially brought the SHA-3 competition into its first round, publishing all 51 candidates publicly, excluding those already broken.

NIST has published all 51 first-round candidates. (Presumably the other submissions -- we heard they received 64 -- were rejected because they weren't complete.) You can download the submission package from the NIST page. The SHA-3 Zoo is still the best source for up-to-date cryptanalysis information.

Various people have been trying to benchmark the performance of the candidates, but -- of course -- results depend on what metrics you choose.

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=212400218
Against my better judgment, I'm posting yet another Koobface story. Though this time it appears the newest Koobface variant is attempting to spread to other social networking sites.

The Koobface worm which has plagued the Facebook social networking site during the past week, is now targeting MySpace, Bebo, and other sites as well, security researchers warn.

Researchers at security vendor F-Secure said yesterday in a blog about the Koobface worm that the new infection is designed to spread to other popular social networking sites, including MyYearbook.com, BlackPlanet.com, and Friendster.com.

http://arstechnica.com/news.ars/post/20081211-sony-pays-1m-to-ftc-for-illegally-collecting-data-on-kids.html
Sony BMG has copped a $1 million fine, among the biggest ever for a case of this kind, to the US Federal Trade Commission for its violation of the Children's Online Privacy Protection Act by collecting information from children under the age of 13 without their parent's consent.

Sony BMG will pay $1 million to the Federal Trade Commission to settle charges that it violated the Children's Online Privacy Protection Act (COPPA) by collecting information on users under the age of 13 without their parents' consent. The FTC says that the civil penalty will match the largest penalty ever paid out in a COPPA case.

The FTC filed a lawsuit against Sony BMG just yesterday in the US District Court in Manhattan. The Commission, suing on behalf of the United States, said that Sony has been operating a number of websites since 2004 in order to promote and advertise its music offerings,. These sites—many of which contain social networking functionality that allow users to create profiles and interact with others—apparently did not restrict users under the age of 13 from registering, despite the fact that the sites claimed that users under 13 would not be able to use the sites.

http://www.theregister.co.uk/2008/12/10/sun_closes_cloud/
Sun has decided to close its computer processing rental service, Network.com, after determining the business model was not as successful as they'd hoped.

Sun Microsystems has killed its once high-profile utility computing experiment, Network.com, which let customers buy computing power by the hour.

The company revealed it's no longer accepting new customers after four years, saying parts of the business and technology model "were not in the sweet spot". The 13 customers and 48 applications using Network.com are will be offered continued service.

http://www.fsf.org/blogs/licensing/2008-12-cisco-complaint
The FSF has finally run out of patience, and has marked the 5th year of its battles to have CISCO properly comply with the GPL on GNU code it uses, by filing suit.

The FSF has sued Cisco for damages regarding their continued violations of the GPL and LGPL by not distributing source for FSF code in a long list of products:

Defendant distributed Plaintiff’s Programs in this manner in the Firmware for Linksys’ models EFG120, EFG250, NAS200, SPA400, WAG300N, WAP4400N, WIP300, WMA11B, WRT54GL, WRV200, WRV54G, and WVC54GC, and in the program Quick-VPN.

http://blog.wired.com/business/2008/12/chrome-10.html
Google has brought Chrome out of BETA with an official v1.0 release. Don't suppose that means they'll stop exploiting it to datamine users?

Google has officially released a 1.0 version of its Chrome web browser, dropping the beta status after a mere one hundred days. It might seem an astounding move for a company best known for keeping projects in an indefinite beta status (Gmail is going on five years as a beta), but Google Chrome isn't just another web app, it's desktop software and to compete with Internet Explorer, Chrome needs to be 1.0.

Unfortunately for Chrome fans there isn't much new in the 1.0 release (nor is there any news on the much-anticipated Mac and Linux versions). Google has been fixing bugs and adding some small new features as the beta progressed — like much improved privacy controls. However, Chrome still lacks some basic web browser features such as reliable RSS detection and form auto-filling tools.

http://news.bbc.co.uk/2/hi/technology/7775013.stm
And now for this weeks odd article. Apparently, the tech industries penchant for acronyms and numeric error codes has translated in verbal and written slang.

A study of new slang terms entering English finds that technology is driving and perpetuating them.

For instance, "404" - the error message given when a browser cannot find a webpage - has come to mean "clueless".