In a previous article I extolled the virtues of Adobe's new InContext Editor (ICE) which is a new online CMS service that is integrated in Dreamweaver 4. Since then I have discovered that are in fact other much better solutions out there which do essentially the same thing, only better and cheaper. PageLime is the first of these which I have been trying out and will review here.
Firefox was the application that had the most reported vulnerabilities this year, while holes in Adobe Reader more than tripled from a year ago, according to statistics compiled by Qualys, a vulnerability management provider.
Qualys tallied 102 vulnerabilities that were found in Firefox this year, up from 90 last year. The numbers are based on running totals in the National Vulnerability Database.
However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes. Because the software is open source, all holes are publicly disclosed, whereas proprietary software makers, like Adobe and Microsoft, typically only publicly disclose holes that were found by researchers outside the company, and not ones discovered internally, Qualys Chief Technology Officer Wolfgang Kandek said late on Wednesday.
Meanwhile, Adobe took the second place spot from Microsoft this year. The number of vulnerabilities in Adobe Reader rose from 14 last year to 45 this year, while those in Microsoft Office dropped from 44 to 41, according to Qualys. Internet Explorer had 30 vulnerabilities.
A shift in focus
The numbers illustrate the trend of attackers turning their focus away from operating systems and toward applications, Kandek said.
"Operating systems have become more stable and harder to attack and that's why attackers are migrating to applications, he said. "Adobe is a huge focus for attacks now, around 10 times more than Microsoft Office. However, other widely used targets like Internet Explorer and Firefox are still far from secure."
Research from F-Secure earlier this year provides further evidence that holes in Adobe applications are being targeted more than Microsoft apps. During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDFs at nearly 50 percent, followed by Microsoft Word at nearly 40 percent, Excel at 7 percent, and PowerPoint at 4.5 percent.
That compared with Word representing nearly 35 percent of all 1,968 targeted attacks in 2008, followed by Reader at more than 28 percent, Excel at nearly 20 percent, and PowerPoint at nearly 17 percent.
As a result, Adobe needs to respond the way Microsoft did in 2002 when it launched its Trustworthy Computing initiative, and make securing its software a company-wide priority, researchers say. F-Secure even recommended that people stop using Reader and use an alternative PDF reader.
Adobe has taken some action, announcing in May that it would release its security updates on a regular schedule, quarterly and coinciding with every third Microsoft Patch Tuesday.
Another study released this week focuses on which applications are the riskiest to users. Based on the most severe vulnerabilities in popular applications that run on Windows and which are not updated automatically, Firefox again tops the list, followed by Adobe Reader and Apple QuickTime, according to Bit9, a provider of application white listing technology.
The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian. Last year, the Bit9 list of the most risky apps included Skype, Yahoo IM, and AOL IM, but those three were not on this year's list.
Not included on the list are programs from Microsoft and Google because of the ability for users of their software to have patches installed automatically. Microsoft software can be automatically and centrally updated via the Microsoft Systems Management Server and Windows Server Update Services, and Google Chrome is automatically updated when users are on the Internet, Bit9 said.
The lists do not take into account the amount of time it takes for companies to release patches, particularly when there is an exploit in the wild. Bit9 noted that Microsoft Internet Explorer was given an "honourable mention" because of a zero-day vulnerability related to ActiveX that went un-patched for three weeks in July.
Microsoft isn't alone in taking longer than customers would like to fix holes. In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.
Adobe customers will have to wait about a month for a fix to the latest critical zero-day hole in Reader and Acrobat. The company announced on Wednesday it would not patch the vulnerability until its next scheduled quarterly security update release on January 12.
For those looking for a secure alternative to Adobe PDF reader, try Foxit Reader.
For quite some time now I have been using ProWorkFlow for my time tracking and project management, which I found to be the most fully featured of all the project management solutions I tried and really is very good. However the amount of development work I do these days is very small, so I couldn't really warrant paying for something that gets used so rarely, so I decided it was time to look for an alternative and preferably FREE solution.
I recently came across this shocking article which made my blood boil.
Mother trailed by policeman and warned by council for telling off son at checkout
Read more: http://www.dailymail.co.uk/news/article-1226056/Mother-trailed-policeman-warned-council-telling-son-checkout.html#ixzz0WvxoDr1b
It beggars belief doesn't it, clearly they are too lazy to investigate all those real crimes and this is exactly the reason why more and more kids are hanging about outside off licenses, swearing and being abusive to the public and generally growing up to be thugs and criminals before they are even teenagers, thus making even more cases for the police and social services to ignore.
Judging by the growing number of incidents like the above one, this is the type of behaviour that the police and social services condone and are encouraging by their actions. Obviously by denying teachers and parents the ability to teach any kind of moral values or boundaries to their children or using any kind of discipline for fear of the repercussions they must have some sick dreams of a future like "escape from new york" rather than the utopian society that most dream of.
It certainly seems that the average social services worker or police officer is completely clueless about children if they think all parents should be calm and collected all the time and that all children will simply do as their told if you just ask them nicely. I think it should be a requirement that anyone who desires to work in this field should have some real world practical experience and I can't believe that isn't the case already. Give them a couple of unruly kids to look after 24\7 for a month and see what happens, or at the very least it should be a requirement that they have had kids of their own. Then perhaps they will realise that most parents lose their temper as a matter of course and make idle threats to their kids just to shut them up. Someone who really does smack the crap out of their kids is hardly likely to shout about it in a public place.
Sure we all see parents losing their rag in the supermarket and initially we may think they are crazy or going way OTT, but then if you are a parent yourself you realise that the kid has probably been winding them up all day and the parent has simply run out of patience, and that is probably exactly what you look like to everyone else when you lose your rag as well.
Sure it is great to think that the police and social services are looking out for the welfare of our kids as we certainly don't like to think of those poor children like baby P out there who are being abused, I know that any stories of that nature in the news always bring a tear to my eye, but I for one do not think that is happening when you take cases like "Baby P" where there was some real and obvious abuse that was totally ignored because they are wasting time victimising innocent people who have clearly done nothing wrong and wont even admit when they have made a mistake and continue to push the matter. One can only presume that it takes up less of their time and requires less paperwork than investigating real crime or abuse cases.
I think these days you need to be more scared of the police or social services than you do of the criminals. At least a burglar is only going to take your stuff and not your kids.
In the world of network servers, the term "honeypot" refers to a server that is placed in an environment for the sole purpose of attracting those who are snooping around, and capturing their activities within the honeypot server. Honeycombing a database is a very similar approach and involves creating "decoy" tables within a database that appear to contain valid, and unprotected, sensitive data. When unauthorized activity occurs on the decoy table, it is captured in an audit table and a notification is sent to the appropriate parties.
I recently came across an interesting book entitled Protecting SQL Server Data, From the previous url you can download a free 220 page ebook and this article is taken from chapter 1 in which you learn how to set a "honey trap" for would-be data thieves, allowing the DBA to identify the precursors of an attack and respond quickly and also to better understand the techniques being used to breach existing security measures.
It is certainly worth a read if database security is important to you or you have any sites that have been hacked through SQL injection.
Recent Comments