Gregg Keizer in Computerworld quotes Secunia's Kaspar Lindgaard making a case that I've been making for a while, that "Patch Tuesday" will be a boon for hackers looking for XP vulnerabilities. We'll get a test of the hypothesis tomorrow, when Microsoft releases 8 new security updates. The reasoning is that many vulnerabilities patched in Windows 7, Windows 8.1, or the various Windows Server operating systems were carried forward from code lines in XP. The patches and accompanying security bulletins give attackers a roadmap for finding the vulnerabilities in XP that will never be patched.

Eden Technologies has released a series of five web videos on Enterprise Data Security and Data Loss Prevention (DLP). The series highlights the components of an effective data security program and the place of DLP systems in a complete program. We emphasize the importance of considering people, process, and technology in your DLP program. The series is a good balance of all three, combining a review of the programs and processes with demonstrations of the major components of the Symantec DLP system. The five videos in the series are:

Yesterday Microsoft issued a critical out-of-cycle patch for the IE 0-day vulnerability in security bulletin MS14-021. Contrary to past statements, this patch will cover Windows XP and will cover all versions of IE from IE6 through IE11. As all of the investments advertisements say “past performance is no guarantee of future performance.” You dodged a bullet this time, but it may be the last time. Upgrade now.

Back to other vulnerabilities and security issues. The first vulnerability since XP went out of support has been reported, although not yet patched. Once the patch is out for supported versions, though, it will remain a zero-day for XP. Here's a preview of a FAQ I'm preparing for our clients at work. What is the security alert? Microsoft has issued a security advisory (2963983) based on research done by FireEye announcing a zero-day vulnerability in all versions of IE from IE6 through IE11. There is a bug in the way that IE accesses invalid memory (e.g. use after free) that can be exploited using Flash to allow remote code execution. According to FireEye, this vulnerability is NOT mitigated by either Address Space Location Randomization (ASLR) or Data Execution Protection (DEP). This vulnerability has been designated CVE-2014-1776 in the National Vulnerability Database. Both Microsoft and FireEye have warned that this vulnerability is being actively exploited in limited targeted attacks.

My old friend Dan Geer has an interesting post on Heartbleed (hat tip to Bruce Schneier for spotting it). Dan and Bruce have written before about the dangers of software monocultures. When flaws are widely disseminated that their impact is disastrous when exploited either deliberately or by accident. Some examples that come to mind from an operating system near-monoculture are the Melissa and Love Letter viruses, circa 1999-2000 (email dissemination of an executable virus) and the 2003 SQL Slammer worm. The near ubiquity of Microsoft Windows and, in the case of Slammer, the poor state of patch discipline caused widespread denial of service.

Oracle released its quarterly critical patch update across its product lines (although I must say putting "quarterly" and "critical" next to each other seems a bit odd), including fixes for 37 Java vulnerabilities, 4 of which have a Common Vulnerability Scoring System (CVSS) score of 10, which is as toxic as you can get. A CVSS score of 10 indicates that the system may be easily compromised remotely (and unauthenticated). 6 of the 37 vulnerabilities apply to both client and server products. Oracle recommends updating to the latest patch revision, (Java 7 Update 55). If you are on a Windows desktop, the autoupdater should have started annoying you already. Take the update. As Brian Krebs points out, this would be another good time to consider if you really need Java on your workstation:

A very thoughtful piece from Dan Kaminsky on how we got into this mess. I definitely agree with him that we need to better manage the components of critical infrastructure. We've actually seen something like this before -- does anybody remember the work that the University of Oulu did exposing serious vulnerabilities in nearly every protocol stack using ASN.1?

What is the security alert? The Computer Emergency Response Team (CERT), based at Carnegie Mellon, has issued a vulnerability note (VU720951) relating to OpenSSL 1.0.1. The vulnerability, in the TLS heartbeat code, allows the attacker to read a 64K chunk of the private memory of the process using the SSL library. The attacker my repeat the attack to retrieve as many 64K chunks as necessary to disclose private information such as the server’s private key or the keys used to protect user login passwords. OpenSSL is a widely used open source cryptography library. Many websites using open source technology such as Apache use OpenSSL for cryptography support. Note that any open source package that support SSL/TLS, including IMAP, SMTP, POP, is potentially vulnerable, not just web servers. The vulnerability has also been found in a variety of network security products, including Cisco, Juniper, FortiGuard, F5 and others. Note that Microsoft has their own cryptographic libraries, so that a pure Microsoft implementation, (for example, IIS, Exchange, TMG) is immune to this issue.

I'm producing a 5 part video series on Data Loss Prevention which will go up on YouTube. Since this is all slides, talks, and demos, it can be pretty low tech. For the demo videos, which I do alone, I use SnagIt on my laptop (which has all the VMs for the demo) and then copy the captured video files over to my Mac for editing in iMovie. Easy and free (since I already own the Mac). What employer doesn't like "free" instead of a request to buy a few hundred bucks worth of video editing software?