Bugs and Fixes: Adobe Reader, Acrobat Come Under Fire

Adobe product security took another hit recently when reports surfaced of a zero-day attack against a critical vulnerability in the ubiquitous Adobe Reader. Small-scale, targeted attacks have already occurred in the wild. The flaw affects both Reader and Acrobat on all platforms, and lets an attacker install malware on your PC if you open a malicious PDF file using version 9.2 or earlier of either app. By the time you read this, Adobe has devised a patch for the problem, as described in a recent security bulletin.

Opening a tainted EPS file could trigger an attack if you have Illustrator CS4 version 14.0.0, or Illustrator CS3 version 13.0.3 or earlier, on any operating system. Adobe's Illustrator has another critical flaw that remains to be fixed. As with the Reader vulnera­bility, Adobe hoped to re­­lease a fix at around the time we went to press. Adobe did release necessary patches for its Flash Player and AIR programs on all platforms. Look for a patch announcement; and for details, see the relevant bulletin from Adobe.

Among the critical flaws that these fixes corrected was a bug in the way the programs handled JPEG images. Jumbo Update for IE Microsoft's latest batch of patches has a cumulative update for all Internet Explorer versions. Adobe has set up a page on its site where you can check your version of Flash; versions 10.0.32.18 and earlier need updating to version 10.0.42.34. AIR versions 1.5.2 and earlier need to bump up to version 1.5.3. Adobe has also posted a bulletin summarizing the situation. This bundle includes fixes for last month's zero-day flaw affecting IE 6 and 7. The update (MS09-072) is rated critical for IE 5 on Windows 2000, for IE 6 on Windows XP or Server 2003, and for IE 7 on XP and Vista. The update is rated critical for Microsoft Project 2000 SP1, and important for 2002 SP1 (part of Office XP) and 2003 SP3. Office 2007 is not affected. It's also required for IE 8 on XP, Vista, and Windows 7; but it's rated only moderate for IE 7 and 8 on Server 2003 and Server 2008. Next up for Microsoft is MS09-074, a fix for an Office Project flaw that a malicious Project file could trigger.

Additional Microsoft Fixes The final critical Microsoft fix, MS09-071, affects only Windows Server 2008. But you should also pick up a number of less-crucial patches. Another update (MS09-069) prevents a specially created Internet Security Association and Key Management Protocol message from crashing Windows 2000, XP, or Server 2003. To obtain all of the new patches, fire up Windows Update; for an overview of the whole batch, see Microsoft's security bulletin summary. One of them (MS09-073) fixes a bug in WordPad and in Office Text Converters that a maliciously crafted Word 97 file could exploit. Media Fixes for Firefox Firefox users can wrap up their monthly patches by making sure the browser is updated to version 3.5.6, or to 3.0.16 if you haven't yet upgraded. The 3.5.6 update shores up two other critical security holes: one in the libtheora video library that could be hit with a malicious video file, and the other in the liboggplay media library. Both updates fix various crash bugs that might allow an intruder to install malware and run attack commands.

Choose Help, Check for Updates to make sure you have the latest version.

TSA posts document on airport screening procedures online

In a gaffe called "shocking" and "reckless" by some U.S. lawmakers, the Transportation Security Administration (TSA) inadvertently posted a 93-page document containing highly sensitive information on its airport screening procedures on a government Web site. The document included information on the frequency with which checked bags are to be hand screened for explosives, the names of 12 countries whose citizens are automatically sent to secondary screening and a list of items for which screening is not always required. The aviation security manual included details on TSA procedures for screening passengers, special rules for handling the CIA, diplomats and law enforcement officials and the technical settings and tolerances used by metal and explosive detectors used at airports. Also included were images of sample credentials used by members of Congress and the CIA which the TSA said could be easily imitated.

The manual was posted as part of a TSA contract solicitation and was supposed to have been redacted. Each page of the manual carries the admonition:"NO PART OF THIS RECORD MAY BE DISCLOSED TO PERSONS WITHOUT A 'NEED TO KNOW.' The document, which was posted on the Federal Business Opportunities Web site was discovered on Sunday by The Wandering Aramean blog. But rather than removing the sensitive text from the document "they just drew a black box on top of it," the blog noted. "Turns out that PDF documents don't really care about the black box like that and the actual content of the document is still in the file." The TSA document has since been removed from the federal Web site. In a statement, a TSA spokesman said that the document was an "outdated, unclassified version of a Standard Operating Procedures. But numerous copies of the documents have since become available around the Internet. This version of the SOP was never implemented.

A full review is now under way into the incident, the TSA said. Because TSA has to constantly adapt to address ever evolving threats, there have been 6 newer versions of the procedures since this version was drafted." The statement goes on to add that while the document demonstrates the "complexities of checkpoint security" it does not contain information related to the specifics of everyday screening. The TSA's claim that the document was outdated has done little to quell the outrage expressed by some lawmakers. Susan Collin (R-Maine), the ranking member of the Senate Homeland Security Committee blasted the TSA over its lapse. "This manual provides a road map to those who would do us harm," Collins said. "The detailed information could help terrorists evade airport security measures The "shocking breach" will undercut the American's public's confidence in security measures at U.S. airports, she said. In a statement today, Sen. Collins said she intends to ask the Department of Homeland Security for a complete explanation of how the breach happened and what specific actions are being taken to prevent "this type of reckless dissemination" in future.

Joseph Lieberman, (I-Conn.) called the release of the SOP manual an "embarrassing mistake." "A security manual, redacted or not, is not the type of document we want to share with the world," Lieberman noted, adding that the improper redaction only compounds the error. In a similar statement, Sen.

Cisco struggle to move TelePresence down market prompts Tandberg buyout

Cisco's $3 billion bid this week for Tandberg is a gamble that video conferencing can take off in the small/medium business and consumer markets, which to date haven't embraced Cisco's TelePresence systems. Tandberg, based in Norway, makes video conferencing systems for desktops and personal computers, as well as higher-end units, and owned 40% of the $2 billion worldwide market in Q2. Cisco TelePresence systems, meanwhile are predominantly for conference rooms and can cost hundreds of thousands of dollars, though lower end versions have been introduced as well.  Cisco has pegged telepresence as one of its Advanced Technologies, defined as those technologies with the potential to develop into a $1 billion-a-year business. With the deal, Cisco would catapult itself from the leader in telepresence – which represents just 1% of the video conferencing units sold – to the clear leader in all of video conferencing, says Ira Weinstein, an analyst with Wainhouse Research. "The breadth of what they can deliver has been massively expanded," he says. But the deal is an admission by Cisco that it has been challenged in bringing TelePresence systems down market, analysts say.

So if you can't beat them you might as well join them."Another challenge for Cisco will be to bring all of its different piece parts of video conferencing and telepresence together, says Ken Dulaney of Gartner. "It's not clear that people want to buy a lot of pieces," Dulaney says. About 18 months ago, Cisco rolled out the TelePresence 500 system for "personal" virtual conferencing in private offices, but analysts say that system has had a hard time cracking a market already well served by Tandberg, Polycom, LifeSize and others. "They've struggled," says Vanessa Alvarez, an analyst at Frost & Sullivan. "They weren't going to capture a significant share. Slideshow: Hottest tech M&A deals of 2009 He compares Cisco's portfolio to that of Microsoft's, which starts from a common base of Exchange and features an integrated client. "Those endpoints will be difficult for Cisco to achieve," he says. Without such interoperability business-to-businesses conferencing won't proliferate, and that will limit demand for the gear, he says. The key to success with the deal is for Cisco to embrace Tandberg's leadership in adopting standards that make interoperability with other vendors' telepresence gear simpler, says Henry Dewing, an analyst with Forrester Research.

So far, Cisco has been lagging. "There's lots of different standards Cisco meets to get [traffic from other vendors' gear] into Cisco telepresence rooms," Dewing says. "But getting it out to anyplace else is hard." In 2007, Tandberg bought Codian, which developed video bridge technology to simplify interconnecting devices that use different codecs and other interfaces, Dewing says. One Cisco TelePresence customer contacted by Network World says the deal is good news. Tandberg's bridge technology is more advanced than Cisco's, he says. The international law firm DLA Piper installed Cisco gear earlier this year and would like it to work with the video conferencing equipment it already had in place. "I have a lot of legacy Tandberg equipment, and the merger will likely ensure tighter integration in the future. Cisco will have some product overlap issues with which to contend, as the vendors' telepresence offerings overlap.

Plus, I think it will address some of my interoperability concerns a bit more quickly," says Don Jaycox, CIO of DLA Piper's USA division. But customers that Tandberg would fight over with Polycom will now become deals that Cisco can participate in because it will have more lower-end products. Tandberg alliances with Avaya and Microsoft will likely languish with Tandberg as part of Cisco, Weinstein says. Tandberg also has very strong sales partners in videoconferencing that Cisco will benefit from, Weinstein says. Cisco competes with Avaya in telephony and Microsoft in unified communications, so it is likely the two will back off the arrangements, he says. "If you're Avaya, buying Tandberg puts money into the pockets of Cisco," he says.  Video as a killer app Dulaney says the acquisition indicates that Cisco believes video will be a killer app – and fuel sales of its routers and switches. "They're making a big bet on video to protect themselves from commoditization," Dulaney says. "If you're going to make a bet you might as well own all of the properties."Dewing agrees. By 2013, the sum of all forms of video - TV, VoD, Internet video, and peer-to-peer - will exceed 90% of global consumer IP traffic, according to Cisco's Visual Networking Index.

He says Cisco wants to do all it can to drive telepresence and video conferencing because that will create more demand for network capacity. "They want as much video on the network as soon as possible because it eats up the bandwidth," Dewing says. "That will create demand for switches and routers and other network devices and that is the light on the horizon for Cisco." Through its own internal research, Cisco found that global IP traffic will increase fivefold by 2013 due in large part to new forms and expanded usage of interactive media, and the "explosion" of video content across multiple devices. Video communications traffic - video over instant messaging, and video calls - will increase 10-fold from 2008 to 2013, the Cisco VNI found. But doing it through internal development would be harder for Cisco than acquiring product and share, says Irwin Lazar of Nemertes Research. "They looked at the market and discovered it would take a while and cost a lot of money, and they'd still face vendors much further along," Lazar says. Moving TelePresence down market is key to Cisco's vision. Acquiring Tandberg and placing all small- and medium-sized video conferencing and TelePresence responsibilities with the Norwegian firm "accelerates R&D significantly" for Cisco, Lazar says. He says he expects more consolidation in the market with HP, Avaya or Microsoft possibly interested in snapping up Polycom or LifeSize or other smaller players.

A downside for enterprise users, however, is that there are now only two major players in business video conferencing: Cisco and Polycom, Lazar says.

Broadband stimulus grants delayed

One of the government agencies in charge of doling out broadband stimulus cash has pushed back the dates for when it will start handing out grants. The NTIA's original timeline had been to fund all first-round projects by year-end, but the agency says that it has had to push back its timeline due to "the large number of complex applications and the voluminous amount of information the agency needs to review." This past August, the NTIA and the Rural Utilities Service said they had http://www.networkworld.com/news/2009/082709-broadband-stimulus-applicat... ">received roughly 2,200 applications for the $4 billion worth of grants available for broadband projects in the United States. FCC identifies roadblocks to broadband adoption The National Telecommunications and Information Administration (NTIA) said in a filing with the U.S. House and Senate Appropriations Committees this week that it was planning to start awarding broadband stimulus grants this December and would begin funding the grants in February of next year. The applications, which were submitted earlier in the year, requested funds for a total of about $28 billion in broadband projects, or seven times the total funds available.

Of that money, $4.7 billion has been given to the NTIA to award grants for projects that will build out broadband infrastructure in un-served or under-served areas; to deliver broadband capabilities for public safety agencies; and to stimulate broadband demand through training and education. The $4 billion in grants currently available to applicants is just the first part of the $7.2 billion that the government has allotted to fund broadband infrastructure investment over the next two years. The remaining $2.5 billion in broadband stimulus money has been allotted to the Department of Agriculture to make loans to companies building out broadband infrastructure in rural areas. The broadband grants are being awarded as part of the larger $787 billion economic stimulus package passed into law earlier this year. Because the NTIA and RUS have received so many requests, they now plan to release the rest of the funds for projects early next year rather than having two separate rounds of awards.

Microsoft's new lab pushes social networking boundaries

DENVER - Microsoft's Lili Cheng's passion is making things that solve real problems, so as the leader of the company's new FUSE Labs she fully expects to blur the line between pure research and product development. Her rational is simple. "In some sense if you are building social software and you don't deploy, you have no idea if it works or not," she says. In fact, after only a month with its doors open, FUSE (Future Social Experiences) has done just that, helping Microsoft's Bing team release a marriage of the search engine and Twitter just two weeks ago. "The project was very experimental but once [the Bing team] saw the stuff we had they thought it would be great to try to ship it," she said of what she considers FUSE's first by-product. 10 Microsoft research projects  Cheng spoke with Network World at the annual Defrag Conference around social computing and the social Web. Cheng says FUSE will embed itself with Microsoft product teams from SharePoint to Xbox and whoever is "fun to work with."Cheng says the Bing/Twitter project is a great example of the concept. "We just ship with the product team," she says. "I like that model, especially for [version 1] stuff." She describes FUSE as an advanced development research group. "We are pretty good at it because we just go for it," she says.  Cheng is not some young maverick who thinks caution belongs in a stiff wind; she has an extensive and respected background in research, including director of the Creative Systems Group at Microsoft Research.

She started the Social Computing Group within Microsoft Research in 2001. The team built social networking prototypes including Wallop, which spun out as a separate company in 2004; Photostory, which shipped in Windows; and the Sapphire project, an early vision for redesigning Windows. The lab is one of three - the others being Microsoft's Rich Media Labs and Startup Labs - that were merged to create FUSE. She was appointed FUSE director last month by Microsoft chief software architect Ray Ozzie, who told Microsoft staff in a memo: "I've known Lili for many years, and have long been impressed by her vision and ability to create; to engage yet to also inspire; to lead; to make tough choices; to deliver." Cheng joined Microsoft in 1995 in the virtual worlds research group and worked on social applications such as V-Chat and Comic Chat. From 2004 to 2006 she crossed over to the product side and was the director of user experience for Windows and helped get Vista out the door. Ray and I interact all the time and he is just all over this [social experiences]," she says. Before Microsoft she worked in Apple's Advanced Technology Group, on the user interface research team. "I think the move to the labs is very natural.

While Cheng won't give concrete examples of current projects, she says there is ongoing work with the SharePoint and Outlook teams and there is fascination with Twitter.  "We are fascinated by the sharing of information in these systems and how you can make it more accessible," she says, mentioning Twitter's recent addition of a list capability. "If you add a little machine learning to lists and groups you could help people's experiences a lot more." She says as people consume more and more information the question becomes: "How do we make that easier and how do we help people manage their time?" Cheng says FUSE's focus won't be strictly enterprise, but a major goal will be to embed social activity into business process such as collaboration and where "social" meets real-time and entertainment. Follow John on Twitter: twitter.com/johnfontana She says, however, the rapid rise of social computing and social networking makes it hard to think too far into the future. "If you look at young people and the way they communicate and socialize it is hard to say where it is going to go." Regardless of where everything ends up, Cheng hopes users have the new tools in their hands. "If people can use some great new cool social stuff from Microsoft that would be awesome," she says.