New Microsoft Security Advisory Released

Microsoft has released a new security advisory (2488013) for all supported versions of Internet Explorer.  The exploit code for the vulnerability has been released publicly which has prompted this new security advisory.

At this time, Microsoft is reporting limited attacks on the vulnerability, and is only releasing a security advisory at this time.  Microsoft will most likely release a security bulletin to patch this vulnerability if they, or their partners, see an uptick in attacks surfacing on the Internet.  The next regularly scheduled cumulative update for Internet Explorer is expected in February.  If we do not see an uptick in attacks, this vulnerability should be addressed at that time.

In the meantime, it is important to monitor the situation with this zero-day vulnerability.  Microsoft has posted a workaround on their Security Research and Defense blog for those who need to lock down their Internet Explorer browsers.

– Jason Miller

Transitioning to the Cloud

Over the past year, there has been an enormous amount of attention paid to activities, technology and innovation surrounding the subject of Cloud Computing, and for obvious reasons!  As the world of IT continues to reshape itself, the role of cloud-based services and technologies will play a vital role. That said, the ability to take advantage the “economies of the cloud,” which are the economic forces, business drivers, and structural issues affecting the costs and benefits of adopting cloud technologies, rest squarely with the technology adopter (user) and vendor alike. From the vendor’s perspective, cloud-based services need to be easy to consume and accessible from anywhere, on any type of device, and at any time. From the perspective of the adopter (user), there must be instant evidence of value – specific to the savings that can be realized by moving to the cloud, but just as important – the need for increased confidence that what’s kept and managed via the cloud is both secure and always available.

A great example of this is the US Federal Government’s desire to lower the costs of managing the enormous base of technology and infrastructure it currently controls, with the directive from the White House CIO to move to /leverage the cloud wherever possible. There was a great article published in Cloud Computing Journal at http://cloudcomputing.syscon.com/node/1654478?utm_source=cloud&utm_medium=twitter that illustrates this changing paradigm.

The cloud offers a rich field of opportunity for both vendor and user alike, and the benefits for both sides are immense!  Looking into the crystal ball, it’s anyone’s guess what the long term impact that Cloud Computing will have on businesses, but from what’s visibly evident so far, the future of cloud- based technologies and solutions is very bright.

Dave Eike

Shavlik Technologies

New Versions of iTunes and Opera Available, Install At Own Risk

Apple has released a new version of iTunes with version 10.1.1.  This release is a non-security release, but be careful if you choose to install at this time.  There have been quite a few reports of the new iTunes program breaking major functionality.  As this is a non-security release and the reports so far, we at Shavlik are holding off at adding this to our data files until next week.  I fully expect Apple to release a new version of iTunes before next Tuesday.  This kind of problem has happened in the past, and Apple has quickly released a new build.

Opera also released a new version of their browser with 11.00.  This release also is a non-security release.  The Shavlik SCUPdates folks (Doug and Greg) found that Opera has broken their silent install switches, so we are currently investigating this product for a Tuesday release as well.

Patch week isn’t quite over for Shavlik just yet.  Yes, I said patch “Week”.  We have nailed down the Microsoft Patch Tuesday security bulletins in outstanding time.  There are a couple of other items we are focusing on for tomorrow’s release:

  • New release of Google Chrome 8.0.552.224 (security update)
  • New release of Skype 5.0.0.152 (non-security update)
  • Outlook Junk Email Filter for Outlook 2003 December 2010
  • Outlook Junk Email Filter for Outlook 2007 December 2010
  • Outlook Junk Email Filter for Outlook 2010 December 2010
  • Non-security update KB2467659 (related to MS10-090, restoring functionality the patch broke)

This is a lot to focus on in one week.  Best of luck to everyone on squeezing them in before your holiday break.

– Jason Miller

New Version Of Google Chrome and Skype Available

Google and Skype have joined in on the Microsoft Patch Tuesday festivities.  Google Chrome 8.0.552.224 has been released and addresses multiple security fixes.  Details can be found here.

Skype has released a new version of their Skype program with 5.0.0.152.  This release appears to be a non-security update as it addresses many bug fixes.  The release notes can be found here

– Jason Miller

December 2010 Patch Tuesday Overview

Microsoft has released 17 new security bulletins addressing 40 vulnerabilities in the December 2010 edition of patch Tuesday.  This is yet another record breaking month for the number of security bulletins released at one time; although, only two of the bulletins are rated as critical.

The first bulletin that needs to be addressed is MS10-090.  This bulletin addresses 7 vulnerabilities in Internet Explorer.  One of the vulnerabilities, as explained in Microsoft Security Advisory 2458511, is being actively exploited in the wild.  Over the weekend, Microsoft saw an uptick in attacks against the vulnerability.  These attacks are primarily being conducted against Internet Explorer users in China and Korea.  With any security bulletin that is being actively attacked, it is critical that you deploy this to your network immediately.

The second bulletin that should be addressed immediately is MS10-091.  This bulletin addresses and issue with the OpenType Font Driver.  If a shared folder that contains a malicious OpenType font file is viewed, an attacker could run code in the Windows kernel.  In order for a successful exploit, an attacker must convince a user to open a share that contains a malicious OpenType font file.  If the folder has thumbnail view set, no user interaction is required for a successful exploit.  If the folder has any other folder view set (such as detail), the user must open the malicious file to be exploited.

Five of the bulletins released today address a common issue, but each bulletin affects different components.  All five bulletins (MS10-093, MS10-094, MS10-095, MS10-096, and MS10-097) address the Insecure Library Loading issue identified in August by Microsoft.  This issue was detailed in Microsoft Security Advisory 2269637.  At the time of the release of the advisory, Microsoft announced that patches would be coming for any affected products they found.  It is not surprising these 5 bulletins were released.  Products that are affected by this vulnerability are still being found by Microsoft.

If you have applied the workaround detailed in the Microsoft knowledge base article 2264107, machines on your network cannot be attacked by this vulnerability.  It is still important though to apply any security patches vendors release.

This is the time of the year where maintenance windows may be tight due to the holidays, vacations and office closures.  With 17 bulletins, take the time to thoroughly review each bulletin and identify which bulletins require your immediate attention.

– Jason Miller

NSS Labs Releases Their Q3 2010 Browser Security Report

NSS Labs released their Web Browser Security report for Q3 2010 today.  The report is focused on testing the most widely used browsers against socially engineered malware.  It is important to note this test does not focus on vulnerabilities in the browser and attacks against the vulnerabilities.  Socially engineered malware are web links that are sent to users through email, instant messages and online advertisements that appear to be legitimate programs.  But, the actual file or site is a malicious program.  Socially engineered attacks are becoming a more prevalent attack vector with how much social media is evolving to become widely used by individuals and businesses.  Lately, attacks have been in websites such as Facebook, Twitter and various blog sites.

In this report, NSS labs ran the browsers through a gauntlet of malicious web sites to see how effective each browser’s protection fared in regards to end user safe browsing.  All major browsers include some type of protection functionality.  In fact, some of the browsers use the same technology but implement it in different ways.

The major browsers tested by NSS Labs were:

  • Apple Safari 5
  • Google Chrome 6
  • Microsoft Internet Explorer 8
  • Microsoft Internet Explorer 9 (beta)
  • Mozilla Firefox 3.6
  • Opera 10

The results of this test are quite staggering and I am pretty surprised.  Both Microsoft browsers truly surpassed any of the other browsers in the market.  In effectiveness in blocking a malicious site, Microsoft Internet Explorer 8 blocked 90% of the socially engineered malware.  Not to be outdone, Microsoft Internet Explorer 9 blocked 99% of the socially engineered malware.  The remaining browsers tested rated up to 19% effective against socially engineered malware compared to Microsoft’s Internet Explorer.

With Internet Explorer 9, Microsoft still includes the SmartScreen Filter.  The browser now boasts an additional layer of protection with the introduction of SmartScreen Application Reputation.

Microsoft is showing, with their current browser technologies, and their new browser technologies, that security for end user browsing is important to them.  I focus a lot on patching browsers to prevent attacks on user’s computers, but defending against socially engineered malware can be quite futile as the control is in the end user’s hands.

For Firefox, Chrome, Safari and Opera, I will be interested to see how they add functionality to catch up to Microsoft in this category.

The full NSS labs report can be found here.

More information on Microsoft’s SmartScreen features in Internet Explorer 9 can be found here

More information on Mozilla Firefox’s Anti-Malware screening can be found here

More information on Google Chrome’s Safe Browsing can be found here.

More information on Apple Safari’s Malware Protection can be found here.

More information on Opera’s Malware Protection and Extended Validation can be found here.

– Jason Miller

Recap of Salesforce.com's Dreamforce 2010 Cloud Conference

For the last 4 days, I’ve had a lovely time out in San Francisco, California at Salesforce.com’s 2010 Dreamforce show which was attended by north of 30,000 attendees. I’ve been to most of the Dreamforce events, as this is now my third company that uses Salesforce.com in their day-to-day operations. In our case, we’re heavy users though with nearly a 100% adoption of their entire product footprint. The massive adoption that we have here at Shavlik opened up some interesting opportunities for us to shake hands with the other Salesforce elites and see what is new in their business and what we have to look forward to in the future.

Market Observations
Although I’ve been to most Dreamforce events, this year’s conference was extremely different. The conference itself was billed as “The Cloud Convention” which brought out a fascinating cross-section of people to the conference. Although the majority of the conference was filled with Salesforce customers, partners and personnel, there was a large group of attendees that were not Salesforce.com customers, many of them NetSuite or Microsoft CRM users that were showing up at the conference because they wanted to observe how the Cloud is affecting other companies and hear more about the impact of the cloud on theirs. One such attendee told me, “I’ve got 3 years left with my current provider, I’m not switching.” Those examples of people attending to understand the cloud show me a few things:

  1. Congratulations to Salesforce.com: They have gone from a CRM company to a Cloud leader. In and of itself, that’s impressive. This conference was more of a cloud conference and not so much a product conference. It’ll be interesting to see if Dreamforce 2011 (which is in August by the way) will carry that theme forward.
  2. Cloud is the single biggest IT trend going on today: When customers that are not using the cloud are coming to understand and discuss it with an expert, that’s a lot of power. It’s more real and gaining immense inertia.
  3. Cloud has turned the corner: It was funny, the number of people that responded to me that they chose the cloud in part due to security concerns was very high.  Think about that! – A year ago, when I told people we were a cloud SaaS provider, the first concern was security… now people recognize it as a benefit! That’s amazing.

Beyond the Cloud observations, there were two other market observations that I’ll make. First off, social integration isn’t a choice, but an imperative. Salesforce.com was discussing their advancement of Chatter and how over 66,000 of their customers have adopted the platform in some format which is impressive given they have around 85,000 total customers. An adoption rate like that is borderline ludicrous. For those of you that don’t know, Chatter is “Facebook” for business. It’s an impressive paradigm for collaboration, and I see a ton of value with it.

The “Social Invasion” I noticed was underscored numerous times throughout the event. As one of the fundraisers for the UCSF Benioff Hospital, the game maker Zynga (Makers of FarmVille, Mafia wars and countless other social games) created a new purchasable item called “Candy Canes” which Farmville users could buy and plant, and the proceeds were benefiting the UCSF Benihoff Hospital. In only a few days, Zynga had raised a seemingly impossible amount of money for the cause surpassing over $850,000 dollars.  When you think about that, that’s a lot of Candy Canes! But at the same time, with Chatter, Zynga’s example and countless other examples that I can point to, social integration is coming and it’s important we all recognize the impact of it.

Second, whomever said “Green IT was dead” last year was totally wrong. A typical conversation at Dreamforce went, “How are you using the cloud?  How are you using Chatter?  What Green initiatives are you embarking on?” Without a doubt, Green IT is back and in force. What is funny though is the two camps that exist on this issue:

  • Vendors want to be green, but don’t want to have to be burdened with it. I heard from a bunch of people that said, “Yeah, we’re trying to be better on the green initiatives but at the same time, it’s so hard to do with our other priorities.” They all acknowledged their efforts have been more of an afterthought, but carbon management is becoming more talked about.
  • Customers want to make green choices. With so many elite users of Salesforce at my fingertips, as we discussed green I asked how it would affect a purchase decision. The majority of customers admitted that it would be a prime consideration, but in the event of a bake-off on features, a green vendor was chosen over one that was less-environmentally focused.

So on the green side, that was great to hear. We’ve given some thought on this front… look forward to some work we’re going to do there.

Who Moved my Cheese?
Back in 2002, I was at a Dreamforce event in some small hotel room in California. Now, the event takes over the entire Moscone North, South and West conference facilities. I don’t know how many millions of square feet the conference consumes, but it was massive. At the same time, Salesforce.com whom I originally chose as a CRM SaaS platform so many moons ago, has become a Platform as a Service (PaaS) for my current business at Shavlik. Out of nowhere, Salesforce.com shocked the market this year with the announcement of Database.com. – This means Salesforce.com, the original SaaS had moved to a PaaS and now is doing Infrastructure as a Service (IaaS). … SaaS -> PaaS -> IaaS. Congratulations to their team on some of the best engineering I’ve ever witnessed. For those of you that can’t guess, more than likely, I’ll be paying close attention to their IaaS offering and perhaps jump on-board to bring my business to the next level.

But wait, there’s more… On Wednesday at their Keynote presentation, moments before it was about to begin my phone lit up like a Christmas tree with tweets, newswire stories and media commentary. Salesforce.com announced their definitive agreement to acquire Heroku, makers of a cloud-based Ruby on Rails implementation. This was huge. In a world where open matters, Heroku is the key example of how open can change the path of technology. Their Ruby on Rails platform has enabled tens of thousands of developers to create Ruby based applications in the cloud without having to run a data-center. Also, the announcement means Salesforce.com is keeping their interfaces more open, more targeted at development growth… which I can’t tell you how much I really do appreciate.

Congratulations to the Heroku team on a match with Salesforce.com that will definitely be impactful to both of their development communities.

Finally…
I do think it is necessary to recognize Salesforce.com again for putting together an exceptional conference. Their platform has grown extraordinarily well through the years, and when a conference has singers like Stevie Wonder, Will.i.am, and Neil Young on stage, you know the organization is taking a conscious effort to ensure their “fun” atmosphere is received and understood by their clients. In the case of Dreamforce 2010, they definitely accomplished that. In closing though, I have to level with everyone, one of my favorite parts of the conference was watching my account executive at Salesforce.com, Chad Katoff doing Karaoke to MC Hammer’s “Can’t Touch This” at a bar which was closed, but we convinced them to open back up to allow us to sing for a while. That was too cool… too funny…

I now leave San Francisco, headed back home after a very long, very intense week. Salesforce.com definitely surprised me this week and taught me to expect the unexpected from them. It’s great to see.

New Firefox, SeaMonkey and ThunderBird Releases Today

As expected, Mozilla has released new updates for the Firefox, SeaMonkey and Thunderbird software families today.

Mozilla Thunderbird 3.0.11
Note:  This is the last update that will be provided for the Thunderbird 3.0 program.  When the next security release for Mozilla Thunderbird occurs, you will need to upgrade your clients to the 3.1 line to ensure you get the latest security updates.

Mozilla Thunderbird 3.1.7
– 3 Critical Vulnerabilities Addressed

Mozilla Firefox 3.5.16
Mozilla Firefox 3.6.13
– 9 Critical Vulnerabilities Addressed
– 1 High Vulnerability Addressed
– 1 Moderate Vulnerability Addressed

Mozilla SeaMonkey 2.0.11
– 9 Critical Vulnerabilities Addressed
– 1 High Vulnerability Addressed
– 1 Moderate Vulnerability Addressed

With 17 new Microsoft security bulletins next week, you might want to address these before that time.

– Jason Miller