Contact Information

  • Mickler & Associates
  • Vancouver, WA
  • Voice: 360.601.0818
  • Fax: 360.397.0468

US-CERT Advises of Critical PDF Vulnerability

Written on October 24, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

This is a technical observation that system administrators would find of particular interest…. if you’re a sysadmin, or, have a system administrator for your small business, they should be aware of this information at the earliest opportunity.

On Wednesday October 24, 2007, US-CERT (the US Computer Emergency Readiness Team) issued a technical advisory for Windows XP, Windows Server 2003, and IE 7.0.

US-CERT advises that a vulnerability has been discovered whereas a *.PDF can be engineered to exploit the vulnerability and execute arbitrary commands on the target machine.

The exploit can be mitigated by upgrading to the latest versions of Adobe Acrobat and Viewer, as outlined in Adobe’s Security Bulletin of Oct 22, 2007.

US-CERT reports known incidents of compromise from engineered *.PDF’s being circulated in email and downloaded as seemingly legimiate content from the web.

It’s recommended that the Adobe products be upgraded at the earliest opportunity.

R

Microsoft Office 2003 SP 3 Released

Written on October 24, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

Microsoft released SP 3 for Office 2003 on September 18; SP 3 has been published to auto-updates from Microsoft and users should begin seeing notifications for update beginning this week. Still have Office 2003? Here’s a run-down on the major benefits:

1. Office Interoperability. SP 3 improves 2003’s interaction with Office 2007 documents and interplay with Windows Vista.

2. Security Tools. MOICE (Microsoft Office Isolated Conversion Environment) is introduced in this service pack as well as File Block; these are features found in Office 2007 that have been retrofitted to 2003. MOICE introduces more security when opening previous versions of Microsoft Office documents and reduce malware threats; File Block allows system administrators to control file conversions for Office through Group Policies.

3. Security Roll-Up. A mass of security patches have been rolled up into this version.

If you use Office 2003 on Windows Vista, or interact frequently with Office 2007 documents, this update is for you. If you’re conscious about security or manage a business network, installation of SP 3 should be a no-brainer.

A couple of ways to install this service pack. The first would be to use Microsoft Update. The second would be to directly download the update. If you’re running Windows Vista, walk through its system update process. More information about the service pack can be found online.

R

GAP Breach Exposes PPI of 800,000

Written on October 6, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

A third-party to the retail giant GAP, Inc. lost a laptop containing the personal private information (PPI) of over 800,000 job applicants. The laptop was stollen and the data found on the drive was not encrypted. Said CEO Glenn Murphy:
“Gap Inc. deeply regrets this incident occurred. We take our obligation to protect the data security of personal information very seriously.”
So seriously, in fact, as this vendor to a Fortune 500 failed to recognize HRIS information as some of the most sensitive classes of data there is, and take preventative steps to safeguard the data. If you want to take your data just a little more seriously than GAP, Inc., I always suggest TrueCrypt: http://www.truecrypt.org/.
TrueCrypt is a free, open source piece of software that can safeguard your data on jump drives (USB sticks) as well as entire hard disk partitions. If you’re using Windows, you download it – it’s free – you walk through a wizard, setup an encryption key, and you’re ready to roll.
Uncomfortable with open source? If your laptop is running Windows Vista and is new (purchased in 2007), enable Vista’s BitLocker features; just look up BitLocker from Vista’s Help and Support. BitLocker is a native encryption solution between the hard disk controller and the operating system – thus, BitLocker is found at a lower-level than file system encryption through NTFS, and, can prevent the whole drive from being mounted.
Finally, are you a tech-head or an amateur looking to use encryption with files, email, data streams, and images? PGP (Pretty Good Privacy) is the name you need to know. Easy to use shareware and commercial products from PGP provided scaled solutions for the single user all the way through enterprise platforms.
Listen – laptops and sticks being stollen and placing plaintext data at risk is nothing new; this has been happening for decades. Don’t become a statistic: use a little bit of common sense and some free tools to protect you and your business.
R