Last week Apple released a bunch of patches up and down its product line. One of the vulnerabilities it fixed in OS X was a vulnerability in its font parser.
In the past you could mitigate vulnerabilities like this by only installing fonts from trusted sources, but since it’s now possible for web pages to transmit fonts along with other content, there’s a limitless number of untrusted fonts out there in the world.
Since it may take a while for all of the major operating systems to shake out all of the problems in their font subsystems, that’s the reason I’ve recommended filtering fonts at the proxy.
Josh Drake, the researcher who discovered the Stagefright vulnerability in Android that lets an attacker hack into an Android device by sending a specially crafted picture or video in a text message, was on the Risky Business security podcast this week to talk about it. What he had to say was interesting.
Patrick Gray, the host, tends to be a pretty outspoken critic of Android and isn’t shy about talking up Apple. He tried to get Drake to say Android is a trainwreck, security-wise, but Drake wouldn’t say it. Drake actually went as far as to say he thinks Android and IOS are fairly close, security wise.
So why do we see so many more Android bugs? Drake had an answer.
It was 30 years ago this week that Commodore released its landmark, long-time-coming Amiga 1000 computer–the first 1990s computer in a field full of 1970s retreads.
Yes, it was a 1990s computer in 1985. It had color and sound built in, not as expensive, clunky, hard-to-configure add-ons. It could address up to 8 megabytes of memory, though it ran admirably on a mere 512 kilobytes. Most importantly, it had fully pre-emptive multitasking, something that previously only existed in commercial workstations that cost five figures.
It was so revolutionary that even NBC is acknowledging the anniversary.
Being a decade or so ahead of its time was only the beginning of its problems, unfortunately.
Adobe has patched Flash twice in two weeks now. The reason for this was due to Hacking Team, an Italian company that sells hacking tools to government agencies, getting hacked. Hacking Team, it turns out, knew of at least three unpatched vulnerabilities (also known as “zero-days” or “0days”) in Flash, and exploits for these vulnerabilities were among the things that got breached.
At work part of my job is reporting security metrics along with my colleague, and sometimes we report things like the number of machines running a specific operating system. The problem we run into is that when it comes to operating system versions, OS X versions 10.1 and 10.10 are really not the same. We run into similar issues with versioning for other operating systems too, such as AIX.
To keep Excel from dropping those significant zeroes on your charts, highlight the column containing your version data and switch it from a numeric format to text format. Then switch to the tab that contains your chart, refresh the data, and your charts will show the zeroes properly.
A really bad remote code execution bug surfaced yesterday, in Bash–the GNU replacement for the Unix shell. If you have a webserver running, or possibly just SSH, it can be used to execute arbitrary code. It affects anything Unixy–Linux, BSD, Mac OS X, and likely many proprietary Unix flavors, since many of them have adopted the GNU toolchain.
This could be really bad. Some people are calling it potentially worse than Heartbleed. Maybe. I’m thinking it’s more along the lines of MS08-067. But there’s an important lesson we must learn from this. Read more
Vuescan is a third-party scanning tool for most versions of Windows, OS X, and Linux. It supports hundreds of scanners, including those abandoned by manufacturers. It’s probably better than what came with your scanner. The pro edition probably costs as much as your scanner too, but comes with lifetime free updates, so you know you’ll be able to use your scanner for as long as it continues to operate, rather than rolling the dice on manufacturer-provided drivers working with your next upgrade. And you can run it on up to four computers at a time, which is nice.
Full disclosure: I bought this software myself. I was not provided a copy for review, nor am I receiving anything in exchange for writing this review. Now that’s out of the way, and you don’t to have to guess about my motives.Read more
My wife bought a scanner around the turn of the century. It’s old, but has always worked well. It’s a Canon LIDE 50, which should come as no surprise. Canon generally makes good hardware. The only problem is that Canon hasn’t made a new driver for it since Windows XP.
I’ve thought of keeping an XP box around for scanning, but wondered if there was a better way. Turns out there is. Thanks to this blog post I know the LIDE 60 drivers work fine, so we can keep the scanner even as we leave XP behind. That’s great, because I hate tossing perfectly usable hardware just because it’s old.
So if you have an old scanner, Google it. There may very well be a close-enough driver out there for it that you can use with a bit of tweaking. And if not, and you don’t mind paying $40, there’s VueScan, which works with 2,400 different scanners and all three (yes, three!) major operating systems. So you can use old weird scanners with Mac OS X or Linux if you want. And $40 is probably less than a new comparable scanner will cost.
I’m reading a book called Trade-Off, by former USA Today technology columnist Kevin Maney. It’s primarily a marketing book.
Maney argues that all products are a balance of fidelity and convenience, and highly favor one or the other. He additionally argues that failed products fail because they attempted to achieve both, or failed to focus on either one.
An example of a convenient product is an economy car. They’re inexpensive to buy and inexpensive to keep fueled up, but don’t have much glitz and you probably won’t fall in love with it. A high-end sports car or luxury car is a lot less practical, but you’re a lot more likely to fall in love with it, and gain prestige by driving around town in it. Read more