[IS&T Security-FYI] Newsletter, Feb. 1, 2007

Thu Feb 1 17:09:57 EST 2007

This issue of Security-FYI includes:

1. Microsoft Word Flaw Update
2. Medium Risk Vulnerability in PGP Desktop
3. Safety Tip of the Week

---------------------------------------
1. Microsoft Word Flaw Update
---------------------------------------

In January I mentioned in the newsletter that Microsoft is monitoring  
three previously reported zero-day Word vulnerabilities but has not  
yet released a patch. This past week a fourth vulnerability has been  
reported. These are targeted attacks and pose a low risk to most  
users. Still, Microsoft cautions against opening any Word attachments  
coming from untrusted sources. MIT's email server should also catch  
any infected files before they reach your inbox.

To read up on this:
<http://www.eweek.com/article2/0%2C1895%2C2087554%2C00.asp>
<http://www.microsoft.com/technet/security/advisory/932114.mspx? 
pubDate=2007-01-26>

--------------------------------------------------------
2. Medium Risk Vulnerability in PGP Desktop
--------------------------------------------------------

A flaw has been found in PGP Desktop encryption tool and users are  
recommended to upgrade to the latest version of the software.  
Vulnerability testers NGS Software rated the flaw as a 'medium risk'  
and said that it affects versions of the software earlier than PGP  
Desktop 9.5.1.

To read up on this:
<http://www.ngssoftware.com/advisories/medium-risk-vulnerability-in- 
pgp-desktop/>
<http://www.vnunet.com/vnunet/news/2173564/flaw-found-pgp-encryption>
<https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_adp.php? 
p_faqid=703&p_li=&p_topview=1>

--------------------------------
3. Safety Tip of the Week
--------------------------------

Spam has gotten very sneaky these days. Perhaps because they know  
that people are starting to catch on and that email systems are  
filtering most spam before it can reach people's in boxes, spammers  
look for ways to get around the blocks. One way in which they do this  
is by deceptively gathering email addresses by sending you to a hoax  
site. One of those hoax sites actually claims to be a "National Do  
Not E-mail Registry." They appeal to those people who are fed up with  
spam and want to actively do something about it. Only it's a trick,  
warns the FTC, meant to deceive you into revealing personal  
information. Makes you wonder what causes people to kick you when  
you're down, doesn't it?

More about this hoax can be found here:
<http://www.nasafcu.com/l2.aspx?ci=638>

If you have any questions please contact us at security at mit.edu or if  
you need help with your computer contact the Computing Help Desk at  
computing-help at mit.edu.

Don't forget to check out our Blog !! :
<http://bloggeroff.mit.edu/blogs/security/>

Happy computing,

Monique

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security