Bugs and Fixes: Adobe Reader, Acrobat Come Under Fire

Adobe product security took another hit recently when reports surfaced of a zero-day attack against a critical vulnerability in the ubiquitous Adobe Reader. Small-scale, targeted attacks have already occurred in the wild. The flaw affects both Reader and Acrobat on all platforms, and lets an attacker install malware on your PC if you open a malicious PDF file using version 9.2 or earlier of either app. By the time you read this, Adobe has devised a patch for the problem, as described in a recent security bulletin.

Opening a tainted EPS file could trigger an attack if you have Illustrator CS4 version 14.0.0, or Illustrator CS3 version 13.0.3 or earlier, on any operating system. Adobe's Illustrator has another critical flaw that remains to be fixed. As with the Reader vulnera­bility, Adobe hoped to re­­lease a fix at around the time we went to press. Adobe did release necessary patches for its Flash Player and AIR programs on all platforms. Look for a patch announcement; and for details, see the relevant bulletin from Adobe.

Among the critical flaws that these fixes corrected was a bug in the way the programs handled JPEG images. Jumbo Update for IE Microsoft's latest batch of patches has a cumulative update for all Internet Explorer versions. Adobe has set up a page on its site where you can check your version of Flash; versions 10.0.32.18 and earlier need updating to version 10.0.42.34. AIR versions 1.5.2 and earlier need to bump up to version 1.5.3. Adobe has also posted a bulletin summarizing the situation. This bundle includes fixes for last month's zero-day flaw affecting IE 6 and 7. The update (MS09-072) is rated critical for IE 5 on Windows 2000, for IE 6 on Windows XP or Server 2003, and for IE 7 on XP and Vista. The update is rated critical for Microsoft Project 2000 SP1, and important for 2002 SP1 (part of Office XP) and 2003 SP3. Office 2007 is not affected. It's also required for IE 8 on XP, Vista, and Windows 7; but it's rated only moderate for IE 7 and 8 on Server 2003 and Server 2008. Next up for Microsoft is MS09-074, a fix for an Office Project flaw that a malicious Project file could trigger.

Additional Microsoft Fixes The final critical Microsoft fix, MS09-071, affects only Windows Server 2008. But you should also pick up a number of less-crucial patches. Another update (MS09-069) prevents a specially created Internet Security Association and Key Management Protocol message from crashing Windows 2000, XP, or Server 2003. To obtain all of the new patches, fire up Windows Update; for an overview of the whole batch, see Microsoft's security bulletin summary. One of them (MS09-073) fixes a bug in WordPad and in Office Text Converters that a maliciously crafted Word 97 file could exploit. Media Fixes for Firefox Firefox users can wrap up their monthly patches by making sure the browser is updated to version 3.5.6, or to 3.0.16 if you haven't yet upgraded. The 3.5.6 update shores up two other critical security holes: one in the libtheora video library that could be hit with a malicious video file, and the other in the liboggplay media library. Both updates fix various crash bugs that might allow an intruder to install malware and run attack commands.

Choose Help, Check for Updates to make sure you have the latest version.

TSA posts document on airport screening procedures online

In a gaffe called "shocking" and "reckless" by some U.S. lawmakers, the Transportation Security Administration (TSA) inadvertently posted a 93-page document containing highly sensitive information on its airport screening procedures on a government Web site. The document included information on the frequency with which checked bags are to be hand screened for explosives, the names of 12 countries whose citizens are automatically sent to secondary screening and a list of items for which screening is not always required. The aviation security manual included details on TSA procedures for screening passengers, special rules for handling the CIA, diplomats and law enforcement officials and the technical settings and tolerances used by metal and explosive detectors used at airports. Also included were images of sample credentials used by members of Congress and the CIA which the TSA said could be easily imitated.

The manual was posted as part of a TSA contract solicitation and was supposed to have been redacted. Each page of the manual carries the admonition:"NO PART OF THIS RECORD MAY BE DISCLOSED TO PERSONS WITHOUT A 'NEED TO KNOW.' The document, which was posted on the Federal Business Opportunities Web site was discovered on Sunday by The Wandering Aramean blog. But rather than removing the sensitive text from the document "they just drew a black box on top of it," the blog noted. "Turns out that PDF documents don't really care about the black box like that and the actual content of the document is still in the file." The TSA document has since been removed from the federal Web site. In a statement, a TSA spokesman said that the document was an "outdated, unclassified version of a Standard Operating Procedures. But numerous copies of the documents have since become available around the Internet. This version of the SOP was never implemented.

A full review is now under way into the incident, the TSA said. Because TSA has to constantly adapt to address ever evolving threats, there have been 6 newer versions of the procedures since this version was drafted." The statement goes on to add that while the document demonstrates the "complexities of checkpoint security" it does not contain information related to the specifics of everyday screening. The TSA's claim that the document was outdated has done little to quell the outrage expressed by some lawmakers. Susan Collin (R-Maine), the ranking member of the Senate Homeland Security Committee blasted the TSA over its lapse. "This manual provides a road map to those who would do us harm," Collins said. "The detailed information could help terrorists evade airport security measures The "shocking breach" will undercut the American's public's confidence in security measures at U.S. airports, she said. In a statement today, Sen. Collins said she intends to ask the Department of Homeland Security for a complete explanation of how the breach happened and what specific actions are being taken to prevent "this type of reckless dissemination" in future.

Joseph Lieberman, (I-Conn.) called the release of the SOP manual an "embarrassing mistake." "A security manual, redacted or not, is not the type of document we want to share with the world," Lieberman noted, adding that the improper redaction only compounds the error. In a similar statement, Sen.

Cisco struggle to move TelePresence down market prompts Tandberg buyout

Cisco's $3 billion bid this week for Tandberg is a gamble that video conferencing can take off in the small/medium business and consumer markets, which to date haven't embraced Cisco's TelePresence systems. Tandberg, based in Norway, makes video conferencing systems for desktops and personal computers, as well as higher-end units, and owned 40% of the $2 billion worldwide market in Q2. Cisco TelePresence systems, meanwhile are predominantly for conference rooms and can cost hundreds of thousands of dollars, though lower end versions have been introduced as well.  Cisco has pegged telepresence as one of its Advanced Technologies, defined as those technologies with the potential to develop into a $1 billion-a-year business. With the deal, Cisco would catapult itself from the leader in telepresence – which represents just 1% of the video conferencing units sold – to the clear leader in all of video conferencing, says Ira Weinstein, an analyst with Wainhouse Research. "The breadth of what they can deliver has been massively expanded," he says. But the deal is an admission by Cisco that it has been challenged in bringing TelePresence systems down market, analysts say.

So if you can't beat them you might as well join them."Another challenge for Cisco will be to bring all of its different piece parts of video conferencing and telepresence together, says Ken Dulaney of Gartner. "It's not clear that people want to buy a lot of pieces," Dulaney says. About 18 months ago, Cisco rolled out the TelePresence 500 system for "personal" virtual conferencing in private offices, but analysts say that system has had a hard time cracking a market already well served by Tandberg, Polycom, LifeSize and others. "They've struggled," says Vanessa Alvarez, an analyst at Frost & Sullivan. "They weren't going to capture a significant share. Slideshow: Hottest tech M&A deals of 2009 He compares Cisco's portfolio to that of Microsoft's, which starts from a common base of Exchange and features an integrated client. "Those endpoints will be difficult for Cisco to achieve," he says. Without such interoperability business-to-businesses conferencing won't proliferate, and that will limit demand for the gear, he says. The key to success with the deal is for Cisco to embrace Tandberg's leadership in adopting standards that make interoperability with other vendors' telepresence gear simpler, says Henry Dewing, an analyst with Forrester Research.

So far, Cisco has been lagging. "There's lots of different standards Cisco meets to get [traffic from other vendors' gear] into Cisco telepresence rooms," Dewing says. "But getting it out to anyplace else is hard." In 2007, Tandberg bought Codian, which developed video bridge technology to simplify interconnecting devices that use different codecs and other interfaces, Dewing says. One Cisco TelePresence customer contacted by Network World says the deal is good news. Tandberg's bridge technology is more advanced than Cisco's, he says. The international law firm DLA Piper installed Cisco gear earlier this year and would like it to work with the video conferencing equipment it already had in place. "I have a lot of legacy Tandberg equipment, and the merger will likely ensure tighter integration in the future. Cisco will have some product overlap issues with which to contend, as the vendors' telepresence offerings overlap.

Plus, I think it will address some of my interoperability concerns a bit more quickly," says Don Jaycox, CIO of DLA Piper's USA division. But customers that Tandberg would fight over with Polycom will now become deals that Cisco can participate in because it will have more lower-end products. Tandberg alliances with Avaya and Microsoft will likely languish with Tandberg as part of Cisco, Weinstein says. Tandberg also has very strong sales partners in videoconferencing that Cisco will benefit from, Weinstein says. Cisco competes with Avaya in telephony and Microsoft in unified communications, so it is likely the two will back off the arrangements, he says. "If you're Avaya, buying Tandberg puts money into the pockets of Cisco," he says.  Video as a killer app Dulaney says the acquisition indicates that Cisco believes video will be a killer app – and fuel sales of its routers and switches. "They're making a big bet on video to protect themselves from commoditization," Dulaney says. "If you're going to make a bet you might as well own all of the properties."Dewing agrees. By 2013, the sum of all forms of video - TV, VoD, Internet video, and peer-to-peer - will exceed 90% of global consumer IP traffic, according to Cisco's Visual Networking Index.

He says Cisco wants to do all it can to drive telepresence and video conferencing because that will create more demand for network capacity. "They want as much video on the network as soon as possible because it eats up the bandwidth," Dewing says. "That will create demand for switches and routers and other network devices and that is the light on the horizon for Cisco." Through its own internal research, Cisco found that global IP traffic will increase fivefold by 2013 due in large part to new forms and expanded usage of interactive media, and the "explosion" of video content across multiple devices. Video communications traffic - video over instant messaging, and video calls - will increase 10-fold from 2008 to 2013, the Cisco VNI found. But doing it through internal development would be harder for Cisco than acquiring product and share, says Irwin Lazar of Nemertes Research. "They looked at the market and discovered it would take a while and cost a lot of money, and they'd still face vendors much further along," Lazar says. Moving TelePresence down market is key to Cisco's vision. Acquiring Tandberg and placing all small- and medium-sized video conferencing and TelePresence responsibilities with the Norwegian firm "accelerates R&D significantly" for Cisco, Lazar says. He says he expects more consolidation in the market with HP, Avaya or Microsoft possibly interested in snapping up Polycom or LifeSize or other smaller players.

A downside for enterprise users, however, is that there are now only two major players in business video conferencing: Cisco and Polycom, Lazar says.

Broadband stimulus grants delayed

One of the government agencies in charge of doling out broadband stimulus cash has pushed back the dates for when it will start handing out grants. The NTIA's original timeline had been to fund all first-round projects by year-end, but the agency says that it has had to push back its timeline due to "the large number of complex applications and the voluminous amount of information the agency needs to review." This past August, the NTIA and the Rural Utilities Service said they had http://www.networkworld.com/news/2009/082709-broadband-stimulus-applicat... ">received roughly 2,200 applications for the $4 billion worth of grants available for broadband projects in the United States. FCC identifies roadblocks to broadband adoption The National Telecommunications and Information Administration (NTIA) said in a filing with the U.S. House and Senate Appropriations Committees this week that it was planning to start awarding broadband stimulus grants this December and would begin funding the grants in February of next year. The applications, which were submitted earlier in the year, requested funds for a total of about $28 billion in broadband projects, or seven times the total funds available.

Of that money, $4.7 billion has been given to the NTIA to award grants for projects that will build out broadband infrastructure in un-served or under-served areas; to deliver broadband capabilities for public safety agencies; and to stimulate broadband demand through training and education. The $4 billion in grants currently available to applicants is just the first part of the $7.2 billion that the government has allotted to fund broadband infrastructure investment over the next two years. The remaining $2.5 billion in broadband stimulus money has been allotted to the Department of Agriculture to make loans to companies building out broadband infrastructure in rural areas. The broadband grants are being awarded as part of the larger $787 billion economic stimulus package passed into law earlier this year. Because the NTIA and RUS have received so many requests, they now plan to release the rest of the funds for projects early next year rather than having two separate rounds of awards.

Microsoft's new lab pushes social networking boundaries

DENVER - Microsoft's Lili Cheng's passion is making things that solve real problems, so as the leader of the company's new FUSE Labs she fully expects to blur the line between pure research and product development. Her rational is simple. "In some sense if you are building social software and you don't deploy, you have no idea if it works or not," she says. In fact, after only a month with its doors open, FUSE (Future Social Experiences) has done just that, helping Microsoft's Bing team release a marriage of the search engine and Twitter just two weeks ago. "The project was very experimental but once [the Bing team] saw the stuff we had they thought it would be great to try to ship it," she said of what she considers FUSE's first by-product. 10 Microsoft research projects  Cheng spoke with Network World at the annual Defrag Conference around social computing and the social Web. Cheng says FUSE will embed itself with Microsoft product teams from SharePoint to Xbox and whoever is "fun to work with."Cheng says the Bing/Twitter project is a great example of the concept. "We just ship with the product team," she says. "I like that model, especially for [version 1] stuff." She describes FUSE as an advanced development research group. "We are pretty good at it because we just go for it," she says.  Cheng is not some young maverick who thinks caution belongs in a stiff wind; she has an extensive and respected background in research, including director of the Creative Systems Group at Microsoft Research.

She started the Social Computing Group within Microsoft Research in 2001. The team built social networking prototypes including Wallop, which spun out as a separate company in 2004; Photostory, which shipped in Windows; and the Sapphire project, an early vision for redesigning Windows. The lab is one of three - the others being Microsoft's Rich Media Labs and Startup Labs - that were merged to create FUSE. She was appointed FUSE director last month by Microsoft chief software architect Ray Ozzie, who told Microsoft staff in a memo: "I've known Lili for many years, and have long been impressed by her vision and ability to create; to engage yet to also inspire; to lead; to make tough choices; to deliver." Cheng joined Microsoft in 1995 in the virtual worlds research group and worked on social applications such as V-Chat and Comic Chat. From 2004 to 2006 she crossed over to the product side and was the director of user experience for Windows and helped get Vista out the door. Ray and I interact all the time and he is just all over this [social experiences]," she says. Before Microsoft she worked in Apple's Advanced Technology Group, on the user interface research team. "I think the move to the labs is very natural.

While Cheng won't give concrete examples of current projects, she says there is ongoing work with the SharePoint and Outlook teams and there is fascination with Twitter.  "We are fascinated by the sharing of information in these systems and how you can make it more accessible," she says, mentioning Twitter's recent addition of a list capability. "If you add a little machine learning to lists and groups you could help people's experiences a lot more." She says as people consume more and more information the question becomes: "How do we make that easier and how do we help people manage their time?" Cheng says FUSE's focus won't be strictly enterprise, but a major goal will be to embed social activity into business process such as collaboration and where "social" meets real-time and entertainment. Follow John on Twitter: twitter.com/johnfontana She says, however, the rapid rise of social computing and social networking makes it hard to think too far into the future. "If you look at young people and the way they communicate and socialize it is hard to say where it is going to go." Regardless of where everything ends up, Cheng hopes users have the new tools in their hands. "If people can use some great new cool social stuff from Microsoft that would be awesome," she says.

NASA’s future: Now the battle begins

When it comes down to it, NASA is the most accomplished space organization in the world but its human spaceflight activities are at a tipping point, primarily due to a mismatch of goals and money. The report's 157-pages worth of findings will now be debated and in the end, dictate the future of NASA and space flight operations. That was the conclusion of the Augustine Review of United States Human Space Flight Plan Committee report delivered to the White House today.

NetworkWorld Extra: 10 NASA space technologies that may never see the cosmosTop 10 cool satellite projects According to the report, NASA's fundamental conundrum is that within the current structure of the budget, NASA essentially has the resources either to build a major new system or to operate one, but not to do both. Either additional funds need to be made available or a far more modest program involving little or no exploration needs to be adopted, the repot stated. This is the root cause of the gap in capability of launching crew to low-Earth orbit under the current budget and will likely be the source of other gaps in the future. The commission seems to say space exploration is a worth-while endeavor but the way it is accomplished and the way NASA approaches it need to be radically changed. From the Augustine report, some of the most important include: • International partnerships: The US can lead a bold new international effort in the human exploration of space.

So what are some of those changes? If international partners are actively engaged, including on the "critical path" to success, there could be substantial benefits to foreign relations and more overall resources could become available to the human spaceflight program. • Short-term Space Shuttle planning: The remaining Shuttle manifest should be flown in a safe and prudent manner without undue schedule pressure. The Committee did not identify any credible approach employing new capabilities that could shorten the gap to less than six years. This manifest will likely extend operation into the second quarter of FY 2011. • The human-spaceflight gap: Under current conditions, the gap in US ability to launch astronauts into space will stretch to at least seven years. The only way to significantly close the gap is to extend the life of the Space Shuttle Program. • Extending the International Space Station: The return on investment to both the United States and our international partners would be significantly enhanced by an extension of the life of the ISS. A decision not to extend its operation would significantly impair US ability to develop and lead future international spaceflight partnerships. • Heavy lift: A heavy-lift launch capability to low-Earth orbit, combined with the ability to inject heavy payloads away from the Earth, is beneficial to exploration.

The Committee reviewed: the Ares family of launchers; Shuttle derived vehicles; and launchers derived from the Evolved Expendable Launch Vehicle family. It will also be useful to the national security space and scientific communities. Each approach has advantages and disadvantages, trading capability, life-cycle costs, maturity, operational complexity and the "way of doing business" within the program and NASA. • Commercial launch of crew to low-Earth orbit: Commercial services to deliver crew to low-Earth orbit are within reach. A new competition with adequate incentives to perform this service should be open to all US aerospace companies. While this presents some risk, it could provide an earlier capability at lower initial and life-cycle costs than government could achieve.

This would let NASA focus on more challenging roles, including human exploration beyond low-Earth orbit based on the continued development of the current or modified Orion spacecraft. • Technology development for exploration and commercial space: Investment in a well-designed and adequately funded space technology program is critical to enable progress in exploration. This investment will also benefit robotic exploration, the US commercial space industry, the academic community and other US government users. • Pathways to Mars: Mars is the ultimate destination for human exploration of the inner solar system; but it is not the best first destination. Exploration strategies can proceed more readily and economically if the requisite technology has been developed in advance. If humans are ever to live for long periods on another planetary surface, it is likely to be on Mars. The options here include:-Mars First, with a Mars landing, perhaps after a brief test of equipment and procedures on the Moon.-Moon First, with lunar surface exploration focused on developing the capability to explore Mars.-A Flexible Path to inner solar system locations, such as lunar orbit, Lagrange points, near-Earth objects and the moons of Mars, followed by exploration of the lunar surface and/or Martian surface.

But Mars is not an easy place to visit with existing technology and without a substantial investment of resources. The report comes at a time when NASA is about to test one of the largest and most complicated parts of its future rocket, the Ares I-X. The launch vehicle test is slated for Oct. 27. The flight test will provide NASA with an early opportunity to test and prove flight characteristics, hardware, facilities and ground operations associated with the Ares I. Ares has had significant technical and design challenges according to experts. NASA estimates that Ares I and its Orion system represent up to $49 billion of the over $97 billion estimated to be spent on the overall Constellation program through 2020. Augustine said of Constellation: The estimated cost of the Ares I launch vehicle development increased as NASA determined that the original plan to use the Space Shuttle main engines on the Ares I upper stage would be too costly. First off it has had a weight problem and NASA needs to eliminate vibrations during launch and other challenges. But the replacement engine had less thrust and inferior fuel economy, so the first-stage solid rockets had to be modified to provide more total impulse.

This is the nature of complex development programs—with budgets that are far more likely to decreasethan increase. This in turn contributed to a vibration phenomenon, the correction of which has yet to be fully demonstrated. Complicating matters further, insofar as the Constellation Program is concerned, this Committee has concluded that the Shuttle Program will almost inevitably extend into FY 2011 in order to fly the existing manifest and that there are strong arguments for the extension of the International Space Station for another five years beyond the existing plan. In addition, adequate funds must eventually be provided to safely de-orbit the ISS—funds that were not allotted in the current or original program plans. These actions, if implemented, place demands of another $1.1 billion and $13.7 billion, respectively, on the NASA budget.

Juniper’s splash big on tech vision, short on specifics

Juniper Networks' wide-ranging announcements on Thursday, billed by the company as the most significant since its founding in 1996, perhaps left more questions than answers after all the products, technologies and partnerships were unveiled. The Cisco rival even unveiled a new corporate logo, a symbol of the company's readiness to embark on a new decade. Juniper rolled out a sweeping array of software, silicon and systems enhancements, as well as new and expanded partnerships intended to take the company and its customers into the next decade of networking. The event was even staged on the 40th anniversary of the Internet's birth to signify its importance to Juniper, if not to the industry.

Why the makeover? "It puts a stake in the ground for our vision for the next decade," said Juniper CEO Kevin Johnson at the event. "We're driving to a platform view that's horizontal and open to integration: one platform with unlimited applications." With that, Juniper unveiled its strategy for opening and licensing its JUNOS operating system to developers and partners. And it was hosted by the New York Stock Exchange, Juniper's most recent showcase account. It also rolled out a new generation of processors, called Trio, designed to massively scale the edge of the service provider network. Also from Network World: Juniper's enterprise business hums in Q3 In addition, Juniper disclosed Project Falcon, an initiative to develop products for the mobile packet core and subscriber management of 4G networks, as well as "universal edge" applications integrating wireline and wireless networks. It also introduced new MX-series Ethernet edge routers with "3D" scaling of bandwidth, subscribers and services.

This served as an attempt to clarify Juniper's position in this market after losing partner Starent Networks to Cisco, which is buying the company for nearly $3 billion.  Lastly, Juniper provided an update on its Stratus cloud computing project that included three steps to cloud-enable a data center: simplify the environment through a unified fabric managed as a single switch; sharing resources through virtual partitioning and VPLS; and securing the environment with security policies based on the new JUNOS Space platform and enhancements to Juniper's SRX Services Gateway. And attendees were still clamoring for more meat from the event ,which seemed fixated on sweeping technology advances rather than specific solutions for key markets. "There are no details on the data center side," said Zeus Kerravala of the Yankee Group. "How are they going to play in the converged data center? Still, Juniper did not disclose deliverables for the Stratus or Falcon projects. How do they address that aside from the loose IBM, Dell OEM deals? FCoE is regarded as the quintessence of a unified data center fabric, yet there was nary a mention of it by Juniper officials. "That's one of the things that's missing," Kerravala said. "They need to talk specifically on how to address that." Andy Ingram, a vice president in Juniper's Fabric and Switching technology group, says an FCoE strategy will be forthcoming from Juniper.

They need to put some meat on the bones." One of the omissions from the prepared remarks was a FibreChannel over Ethernet (FCoE) strategy. It will combine organic development with partner contributions. Still, customers may want a more definitive roadmap, analysts say. "The problem is … there are no [Juniper] products today to help the data center," says Cindy Borovick, a data center analyst at IDC. "But customers are making their investments now." Borovick says Juniper's data center strategy right now is targeted at large content sites that deploy network-attached storage (NAS) rather than FibreChannel. But he adds the economics of FCoE – its Converged Network Adapters cost twice as much as Fibre Channel Host Bus Adapters, which cost two to four times as much as Ethernet NICs – don't currently make sense. She notex, though, that Juniper's exclusive agreement to license JUNOS to BLADE Network Technologies gives Juniper a blade switch strategy and provides another avenue for JUNOS to be embedded in data centers.

How are they going to improve in the field sales?" At least one high profile customer doesn't seem too worried about the specific gaps still to fill in Juniper's strategic direction. "It's clear they aim to be a leading provider of network solutions, like we are [a leader] in our industry," says Duncan Niederauer, CEO of NYSE Euronext. "This is about our business models converging, our partnership is just beginning. Juniper's broad brush stroke may be intended to avoid the perception that it is responding to trendy new markets with point products. "They don't want to be perceived as going down rabbit holes," says Ron Westfall, research director at Current Analysis. "But one item not addressed is that Cisco outsells them despite the technological differentiation. Juniper was the right company to work with."