Short list emerges for cybersecurity czar job

The first reports of the short list for the job of federal cybersecurity coordinator are beginning to trickle out, and while some of the names are all too familiar, many others are quite new to the national scene.

The time has come for an industry Patch Week

Patch management has become, in the words of one bleary-eyed IT guy, “just freaking ridiculous.”

Here’s a look at what this IT guy, whose primary role is managing risk at a medium-sized business, was up against in the last two weeks:

Adobe has issued its first ever scheduled quarterly update for its Reader/Acrobat product line, a bumber patch to cover 13 serious security vulnerabilities.
The patches, which follow Microsoft’s release of fixes for 31 Windows, IE and Office flaws, address “critical vulnerabilities” in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions.  “These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system,” Adobe warned in an advisory.

Microsoft plans to ship 10 security bulletins next Tuesday (June 9, 2009) with fixes for a wide range of code execution vulnerabilities affecting Windows, Microsoft Office and Internet Explorer.
Six of the ten bulletins will be rated “critical,” Microsoft’s highest severity rating.  See the advance notice advisory [].  Read more at ZDNet Zero Day.

From PC Mag (Larry Seltzer)
Microsoft has made much of the security advances in their recent products but some people ask why these are not incorporated into their earlier products. The basic answer is that it usually would come at a cost that users aren’t willing to pay in a software patch, but may be willing in a new product generation.
Yesterday’s revelation of a flaw in DirectShow in Windows XP and other older Windows versions is a perfect example. Windows Vista, Windows Server 2008 and Windows 7 were all not vulnerable. Why? Because the DirectShow code in XP had largely been replaced with the new Windows Media Foundation, developed using the company’s SDL (Security Development Lifecycle), a series of development rules designed to decrease the number of vulnerabilities in code and to limit the impact of those that remain. Read the full story []

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla’s Firefox Web browser, according to a report [] by Brian Krebs
The Firefox add-on was silently added to Firefox when users downloaded a service pack for the Microsoft .NET Framework. explains why this is a security problem:

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.