Tue01232018

Last updateThu, 21 Dec 2017 2pm

 

Introducing – Tools for Cinema Quality Assurance

cat_pr1_sm_jpg

Cinema Test Tools for the non-Technical Manager – Post Installation Quality Assurance Has Begun

Cinema Test Tools is a free resource for the cinema industry, tuned most particularly for the non-technical manager. The tools include several DCPs, all with interesting means of testing the sound and picture quality for the interested by lightly trained staff. The lessons on sound and light are written to provide a foundation to communicate with the technician who must respond quickly and well to the information that they discover.

The key is a free Managers Walk Through Checklist that correlates with the many DCPs. It helps bring an understanding of the many nuances of the auditorium's situation in a straightforward way. 

Security issues should always be taken seriously. Then again, so should consistent exercise and taking regular breaks from madness. Notwithstanding, here's the recent news in the field of security.

PDF – Friend? or Zero Day Future?

Security stories rarely make the front page around here, but the presumed safe PDF file is going to hit the news. Zero-Day~! is a headline that you don't want to participate in, and one is predicted for PDF files in the near future. We should therefore remind ourselves of the basics.

Security people use the term "Attack Vector" to describe a route that a presumed malicious person uses to somehow gain control of a computer. The cuddly pdf has been a vector in the past, then Adobe gave it a "sandbox" – which is yet another term of security art. In this case, imagine a place where the program can look at and manipulate the incoming code before allowing it to do something. For example, a pdf is allowed to reproduce graphic files within the text. The program – very quickly – allows that graphic to load up in the internal sandbox only, decides that it is not a secret dagger aiming at the CPU, and lets it pass to the graphics chip.

What has happened in the past is that black hats are using things like graphics files to hide malicious code, like trojan horses or viruses. The idea is that the graphic is allowed, therefore this might slip through without triggering a virus checker. You'll often hear the word 'sandbox' and Javascript, because it is often manipulations of Javascript code in a pdf that is the problem.

The news is that someone has figured a way around the sandbox. They can show themselves using a script that exploits Adobe Reader. This someone is letting other blackhats know that the code might be available for their use if they just pay up. The full story can be read here: Experts Warn of Zero-Day Exploit for Adobe Reader — Krebs on Security. That's right, the bad guys are holding a virtual auction to see who wants to spread the most havoc.

There are a few solutions to this. Get everyone on a Mac, since this exploit is targetted onto Windows users, especially those who haven't upgraded to Reader 11. Even with Reader 11, go to Preferences in all versions of Reader and turn off Reader Javascript. Most likely you won't notice. 

Next solution is: don't allow PDF files onto production equipment, at all, anymore. Period. The files, no matter who you got them from, cannot be presumed to be innocuous.

If you are creating a file that you know will be going to editors or projectionists or people who might stick it onto production equipment, save it as a PDF/A file. LibreOffice and OpenOffice and Microsoft Office '07 and '10 all support this export file version of a pdf. The PDF/A file can't hide code because it doesn't allow certain things to run in it.

Stay Aware. 

Ongoing Sec - More Exploited Vulnerabilities Patched

Security Logo

12 November – Every freakin' month (2nd Tuesday) there is a new set of Microsoft vulnerabilities, so much so that we have ignored reporting them.

But this month there is yet another set of Critical vulnerabilities that is being exploited in the field – read about it here at Krebs:

Zero-Days Rule November’s Patch Tuesday — Krebs on Security. This explains new Flash updates. [Your editor has eliminated Flash from his system…not worth the bother.]

But note: This does not cure the zero-day exploit that is capable of ruining your whole week~!~!~!


11 June – Another round for Adobe and Microsoft, explained by Krebs:

Adobe, Microsoft Patch Flash, Windows


14 May – Microsoft and Adobe today each released updates to fix critical security holes in their software. Microsoft’s patch batch tackles at least 33 vulnerabilities in Windows and other products, including a fix for a zero-day vulnerability in Internet Explorer 8 that attackers have been exploiting. Separately, Adobe pushed security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

So says Krebs On Security today. Get all the info: Microsoft, Adobe Push Critical Security Updates


6 May – Zero Day Exploit is not only in the open for IE8, but it is published for all hackers to study from.

 

If you must use a Windows computer, please change over to Firefox immediately (if you haven't already.) Then read this:

Krebs On Security – Zero-Day Exploit Published for IE8


12 Feb – The normal tuesday repairs to the normallly insecure programs –

Fat Patch Tuesday — Krebs on Security


7 February – Critical Flash Player Update Fixes 2 Zero-Days — Krebs on Security |

These stories never end...not even interesting reading anymore. Just do the upgrades.

Updates are available for Windows, Mac, Linux and Android users. The latest Windows and Mac version is v. 11.5.502.149, and is available from this link. Those who prefer a direct link to the OS-specific downloads can grab them here. To find out if you have Flash installed and what version your browser may be running, check out this page.


16 Jan – Days after the critical Java fix, Kreb's On Security announces that a new exploit not patch in the version 11 release is being sold on the black-hat black market. First, learn how-to and do turn-off Java until this is patch AND even then, only if you need it.
How to Unplug Java from the Browser — Krebs on Security

Second, read more about the sordid details here: New Java Exploit Fetches $5,000 Per Buyer — Krebs on Security

Security experts on Java: Fixing zero-day exploit could take 'two years' | ZDNet

Third: Point others to this site to learn "What Is Java" and how to use it if you absolutely must: What You Need to Know About the Java Exploit — Krebs on Security

 


 

 

13 Jan – Now it is Java wih the critical warnings...Read Kreb's for the data, but one thing I noticed is that his link for the mac update was wrong and the auto-update that the Mac Java program points to gives an error. So here is the correct link for all OSs: Download Free Java Software, which should point to the right place. Here is where I got a successful Java for Mac download:
Oracle Ships Critical Security Update for Java — Krebs on Security Download Java for Mac OS X
Oracle Ships Critical Security Update for Java — Krebs on Security


 

8 January – Like the Australians needing new colors on their temperature maps as Ultra Hot turns to Double Extra Super Hot, Microsoft and Adobe are going to need new degrees above Critical and above Vulnerable. In this case, Microsoft should say, "Ultra Vulnerable Even After the Update", As Krebs on Security explains: "... these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. ..."

Read the entire piece since it has all the links for the Adobe Reader Flash Player plugin...and AIR and Acrobat...for both Windows and Mac OS.

Don't delay...here is the link again: Adobe, Microsoft Ship Critical Security Updates — Krebs on Security

Australia adds new colour to temperature maps as heat soars | Environment | The Guardian


 

Read more ...

New .1 version of ffmeg released

Code-named Freedom, and only 6 weeks after Harmony (0.9) was release, this version of the Open Source video codec tools and libraries repair many "highly critical" security risks. Secunia Details

If you are using Perian, VLC or MPlayer, among other open source tools that allow you to run several different types of media codecs, expect updates.

Read more ...

July 9 – Prepare For No Doom [Update]

More than 300,000 computers will be disconnected from the internet on 9 July. How can you be one of them?

Easily.

[Update: The day came...with all the attention, the amount of computers with the trojan plummeted. The US FBI tracked the numbers fall by half in the US. On the day of the event, ISPs also started diversion practices of their own. No one is predicting how that will work out, but it mitigated the effect while allowing compromised computers to continue. Applause, though short-lived perhaps.]

Read more ...

Certificate Authorities and DCinema

This weeks news brings up a sore subject: Trust.

In DCinema, this means Trusted Device Lists (TDL) and Certificate Authorities as specified in the SMPTE/ISO and DCI documents.

In the outside world, the foundation is also a group of companies who issue certificates that bring different levels of trust to different websites or those who access the websites. These companies are the CAs or Certificate Authorities. Last year, one was found to have been hacked.

Read more ...