[IS&T Security-FYI] Newsletter, Mar. 8, 2007
Monique Yeaton
myeaton at MIT.EDU
Thu Mar 8 16:51:22 EST 2007
Covered in this issue:
1. Firefox Patch Fixes Security Flaw
2. Security Trends of 2007
3. Tip: Remain Cautious of Phishing Attacks
----------------------------------------------
1. Firefox Patch Fixes Security Flaw
----------------------------------------------
The Mozilla Foundation released a patch last Monday to fix a critical
JavaScript vulnerability in Firefox 2.0.0.2 and 1.5.0.10 as well as
SeaMonkey versions 1.1.1 and 1.0.8. The vulnerability allowed uniform
resource identifiers in image tags to be executed even if JavaScript
was disabled, according to Mozilla. The fix comes on the heels of the
release of Firefox version 2.0.0.2, which was aimed at fixing a
handful of previously documented security problems in the browser.
In a PC World article, the chief security officer at Mozilla is
quoted as saying "Because the browser is one of the most important
applications on today's computers -- and a growing number of mobile
devices -- it will likely remain a focal point for attacks and
security researchers, but that comes with the territory."
Read the full article here: <http://www.pcworld.in/news/index.jsp/
artId=5177367>
While IS&T doesn't officially support Firefox 2.0 yet, we do
recommend users at MIT take the updates and patches as they are
released. Approximately a third of the MIT community uses Firefox as
its default browser. It is also the default browser on Athena.
----------------------------------
2. Security Trends of 2007
----------------------------------
What should we be on the look out for this coming year? IBM Internet
Security Systems (ISS) predicts security trends of 2007. Among them:
- Internet Explorer (IE) will continue to provide a trove of
vulnerabilities, while browser attacks increase
- More spam will be image-based
- Close to 90 percent of new vulnerabilities this year will be
remotely exploitable
- Malware purveyors will organize themselves into more efficient
networks resulting in the development of "exploits-as-a-service"
industry and the rise of customized attacks.
While it's difficult to say what attackers will come up with next, it
is safe to say that they are often more cutting edge and organized
than the people combatting them. Attackers will remain one step ahead
because of the lucrative field they're in, now providing greater
proceeds than from the sale of illegal drugs. In addition, only about
5% of cyber criminals are caught and prosecuted. As long as there's
profit to be made from these attacks and criminals continue to get
away with it, this trend will continue.
--------------------------------------------------------
3. Tip: Remain Cautious of Phishing Attacks
--------------------------------------------------------
In addition to the security trends from IBM mentioned above, we
should also still remain vigilant when receiving unsolicited email
that could be potential phishing email. Report phishing incidents by
referring to OnGuard Online <www.onguardonline.gov> a site with
practical tips from the federal government and the technology
industry. One tip they offer is to forward any spam you receive that
is phishing for information to spam at uce.gov and to the company, bank
or organization impersonated in the phishing email. There are several
Web sites to help you learn what constitutes a phishing email. To
test your phishing IQ, you can visit: <http://www.sonicwall.com/
phishing/>.
If you have any questions, please contact IT Security at
security at mit.edu.
Monique
More information about the ist-security-fyi
mailing list