Oracle released its quarterly critical patch update across its product lines (although I must say putting "quarterly" and "critical" next to each other seems a bit odd), including fixes for 37 Java vulnerabilities, 4 of which have a Common Vulnerability Scoring System (CVSS) score of 10, which is as toxic as you can get. A CVSS score of 10 indicates that the system may be easily compromised remotely (and unauthenticated). 6 of the 37 vulnerabilities apply to both client and server products. Oracle recommends updating to the latest patch revision, (Java 7 Update 55). If you are on a Windows desktop, the autoupdater should have started annoying you already. Take the update. As Brian Krebs points out, this would be another good time to consider if you really need Java on your workstation:

A very thoughtful piece from Dan Kaminsky on how we got into this mess. I definitely agree with him that we need to better manage the components of critical infrastructure. We've actually seen something like this before -- does anybody remember the work that the University of Oulu did exposing serious vulnerabilities in nearly every protocol stack using ASN.1?

What is the security alert? The Computer Emergency Response Team (CERT), based at Carnegie Mellon, has issued a vulnerability note (VU720951) relating to OpenSSL 1.0.1. The vulnerability, in the TLS heartbeat code, allows the attacker to read a 64K chunk of the private memory of the process using the SSL library. The attacker my repeat the attack to retrieve as many 64K chunks as necessary to disclose private information such as the server’s private key or the keys used to protect user login passwords. OpenSSL is a widely used open source cryptography library. Many websites using open source technology such as Apache use OpenSSL for cryptography support. Note that any open source package that support SSL/TLS, including IMAP, SMTP, POP, is potentially vulnerable, not just web servers. The vulnerability has also been found in a variety of network security products, including Cisco, Juniper, FortiGuard, F5 and others. Note that Microsoft has their own cryptographic libraries, so that a pure Microsoft implementation, (for example, IIS, Exchange, TMG) is immune to this issue.

I'm producing a 5 part video series on Data Loss Prevention which will go up on YouTube. Since this is all slides, talks, and demos, it can be pretty low tech. For the demo videos, which I do alone, I use SnagIt on my laptop (which has all the VMs for the demo) and then copy the captured video files over to my Mac for editing in iMovie. Easy and free (since I already own the Mac). What employer doesn't like "free" instead of a request to buy a few hundred bucks worth of video editing software?

Microsoft announced on 1/15/2014 that they would continue to provide signature and engine updates for Microsoft Anti-Malware products running on Windows XP past the April 8, 2014 end-of-support for the OS, through July 14, 2015. For enterprise customers, this applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP. For consumers, this applies to Microsoft Security Essentials.

Consolidation continues in the security industry with the acquisition of Mandiant by FireEye. FireEye makes malware prevention systems, while Mandiant is best known for their forensic work in tracking down hackers, such as the "Comment Crew" of the Peoples Liberation Army. It will be interesting to see what the combination looks like.