Wednesday, May 16, 2012

Thursday Miscellany: Quicktime, FBI warning about open WiFi, Open/LibreOffice

Here are several small items to brighten up your Thursday.
  • If you have Apple QuickTime installed, update it -- a new version with security fixes has been released.
  • If you travel and use open WiFi access points or hotel WiFi or hotel networks, DO NOT APPLY SOFTWARE UPDATES WHICH YOU MIGHT BE OFFERED THERE. See the second set of stories below. 
  • OpenOffice has crawled out of the grave in which Oracle buried it a year ago, it's now an Apache Software Foundation project.  This gives us two competing open-source office suites, OpenOffice and LibreOffice (my preference).  See the third set of stories about OpenOffice's resurrection and new versions of LibreOffice.
  • There are reports of a single piece of malware which infects both Windows PCs and Apple Macs using the same Java vulnerability.  Patch your Java or uninstall it!

Postscript: My next blog post will be about last week's Windows Updates, which appear to be deploying without issues.  If you haven't updated yet, do so! reports that Apple has released a new Version 7.7.2 of the QuickTime media player. This version has security fixes.

About the security content of QuickTime 7.7.2
This document describes security content of QuickTime 7.7.2.

FBI: Updates Over Public ‘Net Access = Bad Idea — Krebs on Security
The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.

From the FBI’s advisory:

“Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

The warning is a good opportunity to revisit some wireless safety tips I’ve doled out over the years. Avoid updating software while you’re using networks that are untrusted and public, whether they are wired or wireless. This generally means Wi-Fi networks like those available in hotels and coffee shops, and even wired connections at hotels. The only exception I make to this rule is when I have a device that is tethered to the 3G connection on a mobile phone. But even this can be dicey, because many laptops and mobile devices will switch over to available Wi-Fi networks in the event that the 3G signal dies.

FBI: Beware of software updates on hotel connections | ZDNet
Road warriors beware: Cyber-criminals are using pop-up alerts on hotel Internet connections to trick computer users into downloading malware.

According to to a warning from the FBI’s Internet Crime Complaint Center (IC3), the pop-up lures are appearing while users are establishing an Internet connection in their hotel rooms.

“In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available,” the IC3 said.

Apache OpenOffice 3.4 makes official debut; LibreOffice makes its case | ZDNet
Summary: Let the games begin. Tuesday, the Apache Software Foundation announced the first official release of Apache OpenOffice, version 3.4, since Oracle donated it to the ASF in mid 2011.

As expected, the first version of OpenOffice under new management — the Apache Software Foundation — has been released.

Apache OpenOffice 3.4, which had been in incubation since Oracle donated the code to the ASF mid last year, offers improved performance and a number of new features and enhancements and is available on Windows, MacIntosh and Linux and in 15 languages as of today.

The list of new bells and whistles — such as improved ODF support, including new ODF 1.2 encryption option, new spreadsheet functions, an enhanced pivot table support in Calc and enhanced graphics — is welcome news.


Not all would agree with Apache’s point of view. The Document Foundation, which developed its own LibreOffice fork of OpenOffice after Oracle signaled its intention to cease development of the office suite, holds that its own organization is independent of vendor control and is the leading open source developer of OpenOffice today.

It has received the support of SUSE , Ubuntu and Intel. The Document Foundation is incorporated in Germany.

One LibreOffice spokesman, a longtime OpenOffiice developer and top SUSE engineer, disputed that the Apache license is the best open source license.

“We find this announcement particularly interesting as, a year after Oracle shuttered, the Incubator (also cited as Apache) now have their release out. As we said when this move was announced, this has a positive angle, allowing LibreOffice to adopt a more future-proof copy-left licensing model.  It also goes without saying that SUSE continues to provide a fully supported SUSE LibreOffice product on Windows and Linux built from the same code base.  I have a more detailed comparison on my blog, but let me focus on the great things that are happening in LibreOffice Land.

“We’ve got our monthly release of 3.5.3 out, steadily increasing quality, and our 3.6 release is one month away from feature freeze and looking great - so we continue to execute on our time-based release schedule. Also, yesterday we announced an exciting certification program to increase the confidence of purchasers of support and services around LibreOffice,” said Michael Meeks, Distinguished Engineer at SUSE.

Let the games begin.

A LibreOffice/Apache OpenOffice Comparison

As the date of the Apache OpenOffice release approaches, and the final release candidate wends its way through a couple of rounds of approval / voting, I thought it might help clarify the current situation to have a side-by-side summary of what is in each suite. I'll update this entry in response to feedback, please do mail me with corrections if I've got things wrong.

Let me say, straight off, that I think the 'removal of copy-left' code (or at least its replacement) has been done reasonably well. Potentially rather a confusing description though: there are still great big gobs of copy-left code as hard requirements for a useful Apache OpenOffice but these are category b copy-left, instead of the category x licenses: (including the LGPL) that Apache excludes. The functionality loss from this removal is modest, as new versions of dependencies have been selected or system dependencies added, with even some rule-bending around shipping GPL dictionaries.

On the other hand, thus far, there are rather few really new features in the release that did not come from Oracle's existing work; that is outside of some pleasant drawing improvements, which we hope to merge into LibreOffice for our next major release.

Cross-platform malware exploits Java to attack PCs and Macs | ZDNet
Summary: The same Java vulnerability used in the infamous Flashback malware is now being used as an attack vector for a single piece of malware that can infect both Windows and Mac OS X computers.

Security vendors have discovered a new piece of malware that attacks both PCs and Macs. It uses the same Java security vulnerability exploited by the Flashback malware that infected hundreds of thousands of Macs. While the attack vector is the same as in Flashback, this Java applet checks which OS it is running on and downloads suitable malware for it.

Patches for this Java vulnerability have been available since February 14 for Windows, Linux, and Unix computers. Apple released a patch in early April, before the Flashback botnet was discovered. Apple has not issued a Java security update for users running versions of Mac OS X prior to 10.6 (Snow Leopard) because it wants to upgrade to a newer version of its operating system. These users can only protect themselves by disabling Java.

If you don’t use Java, you also should disable it. Even if you don’t have it installed, always get the latest security updates for your operating system and software, whether it’s from Microsoft, Apple, or any other company.

No comments: