When password security questions aren’t secure

General No Comments »

 

 

When you select a password, you might choose to store it in a password manager, write it down, or commit it to memory (see How to remember passwords for some advice). Sometimes, however, things go wrong: You find yourself without access to your password manager, you lose the paper on which you recorded your passwords, or you forget a password you thought you memorized. Or maybe someone tries to break into one of your accounts, and after a few unsuccessful attempts at entering your password, the site locks out further access until you can confirm your identity.

In all those cases, online services need a secondary way of granting you access to your account or your data when you dont have (or cant use) your password. Sometimesespecially in lower-security situations such as access to an online publication or discussion forumthe provider lets you click a link that results in your existing password, a new password, or password-reset instructions being sent to the email address you have on file. When those simple mechanisms are considered too insecure, the site may ask you to respond to verification questions for which youve previously provided the answers.

Unfortunately, password-reset messages and verification questions come with their own problems and risks. You can reduce your chances of being hackedor being unable to respond correctly to one of these questionsby following a few simple tips.

Prevent password-reset mischief

Of all your passwords, the one for your email account may be the most valuable. Thats because whoever has access to your email account will be able to read and click links in any password-reset messages you receive (such as when you click an 'I Forgot My Password' link). A hacker who guessed or stole just that one password could unlock many other accounts and do all sorts of damage. You can limit your risk here in a couple of ways.

Use a dedicated password-reset account: Consider setting up a new email account for yourself (using a free service such as Gmail) with an address that youll never share or post publicly. Use this account only when prompted to supply an email address for the purpose of verifying or resetting your passwords. That way, even if someone breaks into your main email account, the security of your other accounts wont be compromised.

Take extra care with your email account password: Be sure to choose an especially secure password for your email account. Make sure to set your email client to communicate securely with the mail serverusing Secure Sockets Layer, or SSL, protocols for exampleso that your password never travels over the air unencrypted. In Apple's Mail, select Mail > Preferences, click Accounts, choose an email account from the list, and click Advanced.  Here you'll see the option Use SSL.

Question the questions

Security questionssuch as the timeless classic What is your mothers maiden name?are supposed to have answers that youll never forget but that most other people wont know or be able to guess. Unfortunately, most of the questions from which you can choose arent secure at all.

Your mothers maiden name is a matter of public record, and nearly anyone can learn it online in a few minutes. If you ever wrote a blog entry or a Facebook post about your first pet, your favorite teacher, or other common security question topics, those facts are in the public domain too. To make matters worse, some questions invite ambiguous answers, which could work against you. Where did you meet your spouse? That might be in New York or at a baseball game or at Yankee Stadium, for example. Years from now, will you remember which answer you gave?

Devise memorable lies: To address such problems, theres only one right way to answer verification questionslie. And dont just lie, but come up with one or more answers that follow the same rules as other passwords to prevent guessability; use either a reasonably long (but memorable) phrase or a series of random characters. So, what was the name of my first pet? Why, it was bookends-qualitative. My mothers maiden name? Her dad was Mr. E27jrdU!8. My favorite car? I loved my 1986 Toyota Recalibration Cantaloupe. It doesnt matter what answers you give, as long as you and you alone know what they are, and can supply the same ones you entered previously if asked.

I know one security expert who says he normally uses the same pseudo-random answer everywhere, although some companies (including Apple) require you to provide different answers to each of several questionsmeaning you have even more password-like data to keep track of. Of course, you can write down your answers or store them in a password manager, but then the same problems that prevent you from accessing your password could prevent you from accessing your security answers.

You might make up a little story for yourself about fictional parents, cars, pets, and the like that you can memorize and then draw on when asked for security answers on different sites. Ultimately, since youre not going to be giving truthful answers, you should go out of your way to remember which lie(s) you told.

Keep them phone friendly: Remember that you could wind up in a situation where youll have to supply these answers over the phone. If that should happen, both you and the person on the other end will have an easier time coping with a series of plain-English words than a bunch of random characters.

How to change your security questions and answers

Each service that uses security questions has its own procedure for choosing the questions and answers (and for changing them after the fact). Check the FAQ pages on the websites for your bank and other important accounts to see how to modify your responses.

Update your Apple info: To change the questions or answers for an Apple ID (which you use for iCloud, among many other purposes), go to the Apple ID page, click Manage your Apple ID, enter your username and password, and click Sign in. On the left, choose Password and Security. Answer your existing security questions, and click Continue. Then you can choose new questions and answers (remember, no two answers can be the same) and also edit your Rescue Email Address if you like. Click Save when youre done.

Update your Google info: If you have a Google account (for Gmail and other services), log in as you normally would. Click the gear icon in the upper-right corner of the window and choose Settings from the pop-up menu. Click Accounts and Import followed by Change password recovery options. Under Security question, click Edit. Choose one of the existing security questions or write your own, and fill in your answer. If you also want to change your secondary address, click the Edit link in the 'Recovery email address' section and fill in the new address. Then click Save.

5 Ways to Stay Safe Online on Black Friday, Cyber Monday

General No Comments »

Thanksgiving is just around the corner in the U.S., and so are Black Friday and Cyber Monday, two of the busiest shopping days of the year. It's also a peak period for malware, phishing and spam. Since employees are increasingly using their own devices to access corporate resources (or simply using a work PC to sneak in a little shopping on Cyber Monday), it's a good idea to share some best practices with your users to help protect them and your network from threats.

"You could tell them no," says Bob Bunge, professor of Cyber Security in the College of Engineering and Information Sciences at DeVry University. "In some circumstances, that's absolutely what you should be telling them. Don't use the office network for retail. It's just a bad idea, period. It's a lousy, bad thing to do."

However, employees often don't perceive the security threat as acutely as IT managers do, so a few pointers on keeping safe are a good idea. After all, shopping sites are among the top malware-infected sites on the Web, according to Symantec.

Five Best Practices to Stay Safe Online

When it comes to dodging malware and phishing attacks, there are a few simple things you can watch for on shopping sites to help keep you safe:

Look for an HTTPS and/or padlock in the address bar before submitting personal information on a website. This is a sign that the site is leveraging the SSL/TLS cryptographic protocol to secure your communications with the website in question. This helps protect against man-in-the-middle attacks that allow an attacker to intercept your communications with the site and inject new ones.

Look for your browser address bar to light up green. This is an indication that the identity of the website you're visiting has been strictly validated with an Extended Validation Certificate. In other words, you really are at the website of the merchant you're trying to shop with rather than fake site created by a malicious attacker to fool you into sharing personal information.

Look for a trust seal. Many merchant websites bear trust seals, usually at the bottom of the home page or on pages where you are asked to provide personal information. They come in many different shapes, sizes and colors and are used to verify a number of different claims about a website, from its use of data encryption to its status as a legitimate business entity. For instance, the TRUSTe seal is a privacy seal that indicates TRUSTe has reviewed the site's privacy policy, while the Verisign Trust Seal verifies the identity of a website's owner and operator and that the site is subject to daily malware scans and uses verified data encryption. Scammers can forge a legitimate seal, so you should always verify a trust seal's authenticity by clicking on it and checking the seal's validation page.

If an offer in an online ad or email sounds too good to be true, avoid it. These are often lures to infect you with malware or gather your personal information. "If it sounds scammy, it's probably scammy," Bunge says. "If I had to cut a large IT security training program into just a paragraph or so, probably the first thing I'd say is 'Don't click on that link!' The whole phishing industry nowadays is based on finding ever more creative ways to get you to click on some link.

Use good passwords. Pay attention to the passwords for your email, social networking and online banking accounts. Don't use the same one for everything. "Add up the asset value of everything in the world you have attached to that password," Bunge says. "All your email, all your online storage, all your credit cards and bank accountsthat's an awful lot of asset attached to just one password." Symantec recommends you use passwords that are at least eight characters, a random mixture of upper and lower case characters (including numbers, punctuation and symbols) and are not found in the dictionary. Additionally, never use the same password twice and change your passwords every six months.

"My main advice to consumers is to get yourself simple, reliable routines," Bunge says. "Find three, four or five online merchants that you trust and stick to known commodities. If you do want to branch out and surf the general Internet and try some merchants you haven't work with before, do some research. Put the name of the merchant in a search engine and see how often "fraud" or "rip off" pop up.

Facebook moves all users to HTTPS for added security

General No Comments »

The move adds a layer of encryption to data transfer, making the information harder to see by attackers.

Just in time for holiday travels, Facebook is moving all users to HTTPS connections to help block attacks over Wi-Fi networks.

HTTPS is a secure version of the Hypertext Transfer Protocol, the essential method your browser uses to connect with websites. At the expense of a little speed, it adds a layer of encryption to data transfer, making the information harder to see by attackers on the same wireless network.

Without HTTPS, gathering information over a local network is surprisingly simple. Packet sniffers such as Firesheep and FaceNiffare designed specifically for this purpose, and require very little technical know-how. Indeed, these tools caused a bit of a stir when they first emerged, because they made it so easy to discover other peoples login details or other sensitive information over standard HTTP connections.

As a result, more Web services have adopted HTTPS, beyond just financial institutions and e-commerce sites. In 2010, Gmail made HTTPS the default for all users. Twitter did the same this year.

Facebook added HTTPS as an option last year, but at the time, many third-party apps didnt support the protocol. All apps have since been required to support HTTPS, and now Facebook is rolling out the added security measure to all users.

Encryption does add load time to Web pages, so there is a small tradeoff of speed for security. For that reason, users will have the ability to opt-out of HTTPS in their account settings, according to TechCrunch.

To see if the site youre on is using an HTTPS connection, just look at the address bar. For Facebook, you should see https://www.facebook.com if the connection is secure.

For added security on other sites, Chrome and Firefox users can install the HTTPS Everywhere add-on. This will automatically activate HTTPS on sites where its supported but not activated by default. If youre worried about virtual creepers, it could come in handy during holiday travels as youre bouncing between public Wi-Fi hotspots.

Nine security controls to look for in cloud contracts

General No Comments »

LAS VEGAS — Palo Alto Networks founder and CTO Nir Zuk took to the stage to deliver the closing keynote address at the company's first-ever user conference here by trumpeting his company's success in firewall innovation and what he described as his competitors' weak attempts to follow.

Zuk, an engineer who once worked at Check Point and Juniper, has more than once enjoyed delivering feisty jabs at his former employers which, along with others such as Sourcefire and Cisco, have come to develop application-aware firewalls that compete with Palo Alto's next-generation firewalls (NGFW). But yesterday in his keynote address, Zuk pulled out all the stops and lambasted his competitors, whom he ridiculed as being on "death row" in terms of their ability to compete against Palo Alto.

"They do what all inmates do, file appeals," Zuk said. He said competitors' products with NGFW application-layer controls can only be considered "lipstick on a pig," a statement illustrated on the movie-size screen behind him on stage by a pig with bright red lips.

Israeli-born Zuk then turned to his native language, Hebrew, to dismiss them all with a biblical expression, saying their fate in the NGFW market can be summed up as "Let me die with the Philistines," the cry of Samson as he pulled the temple down around him. He added: "It sounds better in Hebrew."

But that was just for starters. Zuk continued his rant against Check Point, claiming this rival is offering 85% discounts to customers to take their firewall products, basically saying they "give away products for free" because of Palo Alto's success. Check Point "truly believes they do what Palo Alto does," he said, dismissing Check Point as weak in the area where Palo Alto has focused, application-aware firewalls.

Zuk then turned his attention to a new class of competitors, firms that offer specialized anti-malware services and products, including Damballa, Sourcefire and FireEye. He ran through a list of perceived shortcomings in how they might detect malware and provide prevention, an exercise clearly intended to promote Palo Alto's own WildFire anti-malware service associated with its NGFW.

Palo Alto's growing focus on making its NGFW the place in the enterprise network to manage security in a range of ways was highlighted by Zuk's brief remarks that, as far as the future goes, there's thought being given to how mobile device malware detection could be done well on the network rather than via scans on the device itself. But he left it at that, saying there are a few technology areas that Palo Alto does not see getting into: Web application firewalls or full-featured data-loss prevention.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

In this situation, a contract would outline that if there is a security breach that the provider would be responsible for losses of the customer.

Effectiveness: Theoretically high

How common? Never

Hacking insurance

Insurance by a third party, or by the vendor could help displace costs resulting from a security or data loss issue.

Effectiveness: Potentially helpful, but like the downtime credits, does not necessarily create incentive for provider to avoid a breach

How common? Rare, but growing

Negotiate security clauses

These allow customers to negotiate higher levels of security for certain programs or data.

Effectiveness: Potentially high

How common? Mostly for large customers only

Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.

 

Cybersecurity bill fails in US Senate

General No Comments »

Some senators had raised concerns about government authority and privacy issues in the legislation

The U.S. Senate has voted against moving forward on a cybersecurity bill that supporters have called critical for national security.

The Senate late Wednesday voted 51-47 to end debate and move toward a final vote on the http://www.hsgac.senate.gov/issues/cybersecurity">Cybersecurity Act but 60 votes were needed to move the bill forward. The Senate also http://www.pcworld.com/article/260267/senate_delays_maybe_kills_cybersecurity_bill.html">failed to move forward on the bill during an August vote.

Tech trade group BSA called on lawmakers to give a high priority to cybersecurity legislation in 2013.

"It is disappointing that senators haven't yet been able to reach an agreement on cybersecurity legislation — but stalemate doesn't make the issue go away," BSA President and CEO Robert Holleyman said in a statement. "There is no getting around the fact that we need to bolster America's cybersecurity capabilities. We urge both parties to put this issue at the top of the agenda in the next Congress."

Some Republicans have raised questions about the bill, which would allow the U.S. Department of Homeland Security to set cybersecurity standards, developed with the help of private companies, for operators of critical infrastructure. Critics have said the bill gives DHS too much power.

Other senators have raised privacy concerns about the bill, saying it would allow Internet service providers and other Web businesses to spy on customers to share information with the government without the need for a warrant.

The bill would create a new intra-agency council to work with private companies to develop cybersecurity standards that businesses could voluntarily adopt. The bill would offer incentives to companies that volunteer for cybersecurity programs, including protection from lawsuits related to cyberincidents and increased help and information on cybersecurity issues from U.S. agencies.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

UN’s civil aviation body recommends cybersecurity task force

General No Comments »

The U.N.'s civil aviation body will recommend creating a cybersecurity task force at a meeting next week in Canada, as new technologies introduced into aviation systems are increasing the risk of cyberattacks.

The International Civil Aviation Organization (ICAO) said a task force is needed due to an increasing reliance on interconnected IT systems with operating systems such as Microsoft Windows and Linux, and protocols such as IPv6 and Avionics Full Duplex Switched Ethernet (AFDX), according to a working paper.

"Currently cyber security is a relatively minor issue in civil aviation, but this is changing," the ICAO wrote. "Although the adoption of new technology is an ongoing activity in civil aviation, the current pace and extent of new information technologies is notably increasing the risk from cyber attacks."

Earlier this year, Cyprus-based researcher Andrei Costin showed at the Black Hat security conference major problems in ADS-B (automatic dependent surveillance broadcast), a next-generation protocol used by air traffic control systems to track aircraft positions.

Costin, who also gave his presentation at the Power of Community (POC2012) security conference on Friday in Seoul, described weaknesses in the ADS-B protocol, which has been adopted so far in Australia and in busy flying areas in the U.S. It allows for more precise aircraft tracking, which allows more planes to fly closer together in the sky, carrying more passengers and bringing in more revenue.

Costin showed how it was possible to tamper with ADS-B tracking data for planes in the sky and also make planes that aren't flying appear to be in the sky to air traffic controllers. The equipment needed for such an attack costs as little as US$1,500. The weaknesses in ADS-B have been known for years, but Costin showed on Friday a practical attack.

"Basically, we kind of helped them [the ICAO] understand that there's a real problem and a real risk in this," Costin said.

But while an ICAO cybersecurity task force would be good development, it won't mean a fix for the ADS-B protocol, Costin said. Fixing ADS-B will be difficult and could cost billions of dollars, he said, an effort that has no business incentive and wouldn't bring in new revenue.

"Nobody will do it [fix ADS-B] for the next 50 years for sure unless there is a big attack," Costin said.

The ICAO cited Costin's research as well as other vulnerabilities, such as jamming of GPS signals, and malicious incidents, as justification for a cyber security task force. In one example, the ICAO wrote three software engineers were accused of sabotaging code in June 2011 at a new airport terminal, allegedly because they didn't get a pay increase from a subcontractor.

Three days later, check-in services failed at the terminal, with 50 flights delayed. Cyberattacks could have "an effect analogous with the recent Icelandic volcanic ash problems, shutting down air travel across parts of Europe for several days. In that case estimated costs run into the billions of dollars or euros," the ICAO wrote.

ICAO's 12th Air Navigation Conference is scheduled to run from Nov. 19-30 in Montreal.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

 

Huawei security chief: We can help keep U.S. safe from ‘Net threats

General No Comments »

The chief security officer of Huawei, the Chinese company recently flagged by Congress as a national security threat, says the network equipment maker could actually help the United States defend itself against malicious Internet traffic

 

BACKGROUND: U.S. House Intelligence report blasts Huawei, ZTE as national-security threats

HUAWEI: Separating fact from fiction

Andy Purdy, Huawei Technologies' CSO, spoke here today on a Cloud Security Alliance Congress panel of security experts from the U.S. government and industry that raised warnings about Chinese espionage across the Internet.

In representing the sole China-based company on the panel, Purdy said there are ongoing discussions between the U.S. and China on supply-chain safety, and private companies should be part of it. There should be "openness, transparency and freedom," he said.

"Part of the planning of the U.S. hopefully is collaboration with the private sector and part of the strategy should be planning how to block malicious traffic," said Purdy, adding ISPs could do that. He said: "It's disgraceful the government isn't doing anything to address the Internet underground."

Purdy pointed out that Huawei agreed with the U.S. administration about possible risks to the global supply chain. He noted that Huawei, with $32 billion in revenues, makes less than $2 billion in the U.S., but a third of its components come from the U.S., meaning thousands of U.S. jobs are supported.

Nevertheless, China has been stealing vast amounts of U.S. corporate intellectual property by breaking into networks, said Scott Borg, director and chief economist for the U.S. Cyber Consequences Unit, described as a research organization set up by the U.S. government specifically to look at the nature of cyberattacks and supply-chain safety issues.

"We're also finding malicious firmware in products from China," Borg said. "China and Chinese companies aren't playing by the same rules we are."

Borg said that research indicates that China, as a country rapidly climbing out of poverty into wealth, has done that largely by "copying the developed countries," and if someone doesn't hand you the basic technology to do this, you steal it. "Stealing is part of the national economic development model for China," he said. China has basically held its people hostage, encouraging them in this, in order to raise the standard of living, he continued.

However, Borg said other companies are tired of getting hacked and "taking it on the chin." He suggested there's now increasing interest in fighting back, and this would mean carrying out counter-strikes in some way.

Marcus Sachs, vice president for cybersecurity at Verizon, also on the panel, said the idea of hiring private armed guards to defend you is well-established in the physical world, and thus raises the question, "Why not do that in cyberspace?" But he pointed out that the armed guards in the physical world face limited distances in which to act, while in cyberspace you're across the planet within milliseconds. He said the idea of counter-strikes of any sort will come to deep consideration of policy issues.

John Streufert, director of the National Cybersecurity Division at the Department of Homeland Security, said offensive cybersecurity is the responsibility of the military in the U.S., and he said if citizens see specific threat problems they should report them.

But during a session later in the day, Streufert also described a long-planned DHS program called Continuous Monitoring. Coming soon will be a contract solicitation for managed security services called Continuous Diagnostics and Mitigation, including cloud-based services, to protect civilian federal agencies' data from stealthy attacks.

The Continuous Monitoring concept calls for a layer of sensors and scanners to check hardware and software used by the federal government for vulnerabilities.

A project expected to take the federal government a few years to complete, it would include a security dashboard view managed by Continuous Monitoring service providers that would likely be shared at the agency department level. Streufert called it a "cyberscope" for the federal agencies.

Streufert said the goal is to get the agencies away from the hugely expensive paper-based vulnerability reports they generate today that are seen as inefficient and untimely. The program could extend as well to state and local government agencies, he said, for an estimated total of up to 25 million seats.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Adobe, now ‘married’ to Microsoft, moves Flash updates to Patch Tuesday

General No Comments »

Adobe on Tuesday announced that it will pair future security updates for its popular Flash Player with Microsoft's Patch Tuesday schedule.

At the same time, Adobe issued an update that patched seven critical Flash vulnerabilities, and Microsoft shipped fixes for Internet Explorer 10 (IE10), which includes an embedded copy of Flash.

But the move to synchronize Flash Player updates with Microsoft's monthly patch schedule was the bigger news. "Starting with the next Flash Player security update, we plan to release regularly-scheduled security updates for Flash Player on 'Patch Tuesdays,'" Adobe said in a statement yesterday.

"Microsoft and Adobe are now officially married," cracked Andrew Storms, director of security operations at nCircle Security, in an email reply to questions. "They started dating when they decided to share the MAPP program [and] once Microsoft agreed to embed Flash in IE10, [it was] inevitable that Adobe was going to be strong-armed into following Microsoft's patch cadence."

Under MAPP, for "Microsoft Active Protections Program," Microsoft provides select security vendors pre-patch information to give them time to craft detection signatures for upcoming exploits or malware. In July 2010, Adobe began using MAPP to deliver vulnerability information about its products to security firms.

Microsoft issues its security updates on the second Tuesday of each month, but up to now Adobe has released Flash bug fixes at irregular intervals. So far this year, Adobe has released nine Flash security updates: One in February, two in March, one each in May and June, two in August, one in October, and one in November.

The two companies' unsynchronized patching became an issue after Microsoft announced it would bake Flash Player into IE10 for Windows 8 and its tablet spin-off, Windows RT. But problems surfaced in September when Microsoft said it would not patch IE10 for at least six weeks, even though Adobe had issued updates the month before that addressed at least one vulnerability hackers were already exploiting.

Microsoft later recanted and issued an update to IE10, then followed with another in October on the same day Adobe shipped its Flash fixes.

At the time, security experts criticized both Adobe and Microsoft for releasing unexpected updates — Microsoft rarely deviates from its Patch Tuesday timetable — and said those updates confused customers, especially enterprise IT staffers who rely on Microsoft's predictable schedule.

Even though the Flash updates will add more Patch Tuesday work for users, security professionals praised Adobe's change.

"Concentrating updates on a single day is a benefit for any organization that manages patch roll-outs," said Wolfgang Kandek, CTO of Qualys, in an email. "That way the update can be handled by the same decision process, which should streamline roll-outs and get Flash updates [installed] more widely."

Storms agreed. "In a few months, the Flash update will just be a regular part of the Patch Tuesday cycle," he predicted. "The move is going to force Adobe to get into a regular cycle with repeatable processes that their end users will come to recognize and appreciate."

Adobe spokeswoman Wieke Lips said her firm had "discussed both internally and coordinated with Microsoft" the move to Patch Tuesday.

Storms and Kandek suspected that Adobe's hand was forced — whether of its own volition or at the urging of Microsoft — when the latter decided to bundle Flash with IE10.

"The new Adobe timing is to accommodate the typical Patch Tuesday release schedule for Windows, which enterprise customers depend upon," Kandek said.

What was a surprise, Storms said, was that it took this long for Microsoft and Adobe to sync security releases, particularly after the backpedaling by Microsoft in September. "That was a clear sign that despite the executive decision to put Flash in IE10, nobody considered the ramifications," Storms said. "Sadly, the people left holding the bag were Microsoft users on their brand new Windows 8 platform."

In hindsight, Storms was right: If there was one company destined to ride Patch Tuesday's coattails, it was Adobe, which has adopted Microsoft's security coding practices and used some of its anti-exploit "sandboxing" technologies in its Reader and Flash.

Microsoft declined to answer questions about Adobe's decision, including whether Microsoft had pressed its partner to make the call. Instead, the company issued a statement attributed to Dave Forstrom, a director in the firm's Trustworthy Computing group, that said, "Our customers tell us that they strongly prefer a predictable cadence of security-update releases, and we aim to honor that preference."

While Adobe characterized the decision as one of convenience and predictability for users rather than a security improvement, Kandek saw it slightly different.

"Releasing scheduled Adobe Flash updates any other time would force Microsoft to make their IE10 updates out-of-band, as they would want to maintain a close interval between Flash release and IE10 release," Kandek said.

If Microsoft was unwilling or unable to ship emergency updates for IE10, Windows 8 and Windows RT users would be vulnerable to quick-strike Flash exploits, potentially for weeks.

Adobe's Tuesday update patched seven vulnerabilities, all which could be used by hackers to hijack Windows PCs, Macs and machines running Linux. Engineers in Google's security team, as they often do, reported the seven to Adobe.

Microsoft updated IE10 on Windows 8 and Windows RT on Tuesday, making it the second time in a row that the company shipped patches the same day Adobe refreshed Flash.

Google, which has been bundling Flash with its Chrome browser for over two years, also updated its browser to include the patched version of the media player.

IE10 on Windows 7, which Microsoft has pledged to release as a preview by mid-November, will not include an integrated version of Flash, but will rely on the traditional plug-in. Still, it will, like other browsers, receive future updates on Patch Tuesday.

Adobe also said that it would, if necessary, issue emergency updates outside Microsoft's schedule to quash "zero-day" bugs.

Windows 8 and Windows RT users can obtain today's Flash update for IE10 via the Windows Update service, while others can either download the revised plug-in from Adobe's website or use the Flash updating tool.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

 

Affiliate program is closed

General No Comments »

In case that the affiliate program didn't prove itself, the decision was made to close it.

New VPN Server In The UK!!

General 1 Comment »

New UK Server

 

In response to high demand TUVPN have launched a NEW VPN server in the UK!

We are offering Shared & Dedicated IP services on this new server.

You can access the server immediately using: london3.tuvpn.com 

Alternatively you can reinstall your OpenVPN Client and you will have it in your VPN Server menu. New servers will automatically appear in our L2TP and PPTP client menus.

The NEW London Server comes packed with the usual TUVPN Features to provide you with the best VPN experience on the Net!

Please note that P2P file transfers are not supported.

 

Thanks for your valued custom and loyalty. We try very hard to earn it!!


Get the Best VPN NOW!

Get Your VPN NOW!

©2011 TUVPN.COM. All rights reserved.