USENIX Update

Microsoft has published a critical security update, MS10-002, as
of Thursday, 21 January. They rushed out this patch that covers
seven different IE vulnerabilties, even as attackers were working
on converting the Google exploit so it succeeds against later
versions of IE.

If you thought there was only one IE vulnerability to patch, you
might be wondering why seven get patched here? In reality, there
are still more outstanding IE vulnerabilities. Microsoft is not
alone here, as other browser vendors also have outstanding
vulnerabilites. But IE is still the top browser that gets targeted
by attackers. Brian Krebs posted a nice blog entry about his look
at the Eleonore Browser Exploit Kit, where he shows screen shots
that include logs of successfully exploited browsers, including
older versions of Firefox, as well as Safari, Chrome, and Opera.

http://www.krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/

On other news, Apple announced the iPad yesterday. The iPad will
run iPhone and iTouch apps, and like these devices has no support
for Flash applications. While Apple is most likely doing this for
competitive reasons, Flash remains one of the most dangerous, and
popular, browser plugins. Plugins run as browser code, and thus
aren’t included in the limited sandbox most browsers erect around
code and data from the same origin (Same Origin Policy). Thus,
anytime you run an application in Flash, you are running code with
in an interpreter that runs with your user privileges, and can do
what you can do. On top of that, Flash is very difficult to sandbox,
as it needs to write to your display and wants the ability to
read and write to your filesystem as well.

So, from my perspective, leaving Flash out of the iPad is a good
thing…

Join us February 22, 2010, in San Jose, CA, for the 2nd USENIX Workshop on the Theory and Practice of Provenance (TaPP ‘10).

The TaPP workshop series builds upon a set of Workshops on Principles of Provenance organized in 2007–2009, which helped raise the profile of this area within diverse research communities, such as databases, security, and programming languages.

We hope to attract serious cross-disciplinary, foundational, and highly speculative research and to facilitate needed interaction with the broader systems community and with industry.

Registration is now open and the program is available.

TaPP ‘10 is co-located with  FAST ‘10, taking place February 23-26, 2010 in  San Jose, CA.

The Call for Participation for the 24th Large Installation System Administration Conference (LISA ‘10) is now available.  Participation opportunities include refereed papers, invited talks, and more.

The annual LISA conference is the meeting place of choice for system and network administrators and engineers. The conference serves as a venue for a lively, diverse, and rich mix of technologists of all specialties and levels of expertise. LISA is the place to exchange ideas, sharpen old and new skills, learn new techniques, debate current and controversial issues, and meet industry gurus, colleagues, and friends.

The theme for LISA ‘10 is “Share your experiences, both real-world and in research.”

NEW! Have you completed a major project? Tell the LISA audience what worked and what didn’t in a practice and experience report.

Check out the full Call for Participation.

LISA ‘10 takes place November 7–12, 2010 in San Jose, CA and is sponsored by USENIX in cooperation with LOSPA and SNIA

The Call for Papers for 2nd USENIX Workshop on Hot Topics in Cloud Computing (HotCloud ‘10) is now available.

HotCloud ‘10 seeks to discuss challenges in the Cloud Computing paradigm including the design, implementation, and deployment of virtualized clouds.

Submissions are due March, 23, 2010.

More information and submission guidelines can be found here.

HotCloud ‘10 will be part of USENIX Federated Conferences Week, which will take place June 21–25, 2010.