Security Advisor

Adobe Releases Yet Another Flash Bandage

Plus, LulzSec crumbles from the inside, readers respond to proposed changes to Windows 8 password procedure.

• By Chris Paoli
• 03/07/2012

For the second time in 20 or so days, Adobe is bandaging up its Flash Player due to holes that could open up users to attacks.

Two holes, to be exact, are getting the update treatment before they could cause damage. At least Adobe is committed to being proactive when it comes to problems (unlike a certain company that ignores issues until they explode).

While it's never good PR to announce issues with your software, Adobe is spinning this patch by unveiling its new rating system for updates that will advise users on how fast they should apply.

Adobe's new labeling system will apply one of three priority ratings to an update. If you see a Priority 3 item, you can take your time, as these items fixed aren't causing any real damage out there. Patch when you want to, whether that's today, tomorrow or next week.

A more-serious Priority 2 fix should be added to your "to-do" list. However, if you can't get to it for 30 or so days, don't worry. Adobe says that's fine. But do get it done sometime this month.

Priority 1 alerts should be handled ASAP. They typically fix well-used Adobe products that are currently under siege by hackers.        

But, of course, these are only suggestions and all patches should go through a rigorous testing period before being rolled out.

Do you typically apply patches within suggested windows of time? Let me know at [email protected].

Hacker Group Crumbling
Known as "Sabu," the head of the online mischief maker group LulzSec provided information to law enforcement that led to the arrest of five members of the operation on Tuesday.

I'm guessing Sabu didn't want to spend a huge portion of his life behind bars. The FBI swooped him up in June of last year and he pleaded guilty to 12 counts of hacking -- all under the radar of his group.

He even disbanded his group (for a short period of time) right as Anonymous (who the group worked with) went on its highly publicized campaign of hacking government Web sites.

How long he was working with the Feds to bring his fellow hackers to justice is unknown. However, I'm sure he won't be receiving many get-together invitations from his hacker friends in the near future.

Readers Respond: Do Electronic Passwords Need an Overhaul?
In last week's Security Watch I discussed  a couple of options Microsoft is considering for password input for Windows 8. These include facial recognition and drawing patterns on photos.

Reader Todd especially finds issue with the second option, and suggests where the future of password input should go:

"I still believe the universal standard should be either fingerprint scans or retinal scan.  The entire 'doodle' concept sets security back 25 years.  How easy would it be for any person to stand across the room and watch you circle your father's head, draw a line from one sister's nose to another sister's nose, and then tap your mother's nose?"

Interesting point. But how easy can it be for a person to watch you input your Windows password from across the room? Seems like the "doodling" idea would have some of the same follies that traditional password input has. But copying a fingerprint or retina is a bit hard to do from across the room.

However, with anything new, there's going to be a learning code, and getting users to switch how they've been doing something for years takes a lot of coercion that it is worth it. And reader Jim agrees:

"Just because it is 'old' does not mean it is bad. Though I like the ideas, I would not give up my old-timey passwords until I could be convinced the 'new' system was at least as secure as our current method or better."

Well said.