Where to Find Software Patches?

This will vary to what operating system and applications you are running. Based on the most common software products in use for Microsoft Windows based machines, Adobe Reader, Adobe Flash and Oracle Java are the top products have frequent updates for security patches.

Microsoft releases their security updates every second Tuesday of the month. This well-known release schedule for security updates will help you plan their deployment updates accordingly. On occasion, Microsoft will release a fix out of the standard schedule when a critical vulnerability has been identified and likely being exploited in the wild. Using the Windows Update control panel will take you through that process.

Adobe has adopted the “Patch Tuesday” Microsoft model to release their security updates on. This originated from customers wanting a single patch cycle to make it a bit easier to maintain a fully patch system. Adobe has a built in update tool with their Flash and Reader software. The Adobe Flash Player Distribution page and Adobe Reader page have direct download links.

Oracle releases Java updates three times per year in February, June and October. As the updates are concentrated in batches, they likely include a large number of security fixes. On occasion, Oracle will release an out-of-band security fix for high impact vulnerabilities. Using the Java control panel will take you through the update process.

As a good practice, I would make sure your computer is running the latest software every month.

OWASP-SF Meeting

Tonight was another good OWASP Bay Area meeting. Over 50 people attended the meeting, and I hope these numbers continue to rise.

The first talk was on Adobe Flash security. Here are my notes:

  • Cross-site flashing takes advantage of the html flash parameter allowscriptaccess=always
  • Stefano Di Paola released SWFIntruder a few months ago to help analyze Flash applications at runtime

The second talk was on PCI. I was surprised that the discussion around this topic was lively, as I thought it would be pretty boring. Anyway, here are my notes from this talk.

  • Criminals are getting better
    • Tiny wireless skimmers are point of sale devices
    • In-line wiretaps to record transactions
  • Current PCI spec doesn’t require end to end encryption
  • Visa’s PABP – Payment Application Best Practice
  • PA-DSS – PCI Council adapted version of Visa’s PABP
  • Section 6.6 is required by June 30, 2008
    • Requires either a code review or a web application firewall for front facing sites
    • But what defines a code review? Static vs dynamic
  • Section 11.3 talks about pentesting

The next Bay Area meeting will be in the East Bay, probably somewhere in Pleasanton. If you want to give a talk at the next meeting, please drop me a line.

I only took a few pictures at this event, but they can be found on flickr.

Update: There is a great blog on PCI at pcianswers.com.