[IS&T Security-FYI] Newsletter, Mar. 8, 2007

Monique Yeaton myeaton at MIT.EDU
Thu Mar 8 16:51:22 EST 2007 

Covered in this issue:

1. Firefox Patch Fixes Security Flaw
2. Security Trends of 2007
3. Tip: Remain Cautious of Phishing Attacks

----------------------------------------------
1. Firefox Patch Fixes Security Flaw
----------------------------------------------

The Mozilla Foundation released a patch last Monday to fix a critical  
JavaScript vulnerability in Firefox 2.0.0.2 and 1.5.0.10 as well as  
SeaMonkey versions 1.1.1 and 1.0.8. The vulnerability allowed uniform  
resource identifiers in image tags to be executed even if JavaScript  
was disabled, according to Mozilla. The fix comes on the heels of the  
release of Firefox version 2.0.0.2, which was aimed at fixing a  
handful of previously documented security problems in the browser.

In a PC World article, the chief security officer at Mozilla is  
quoted as saying "Because the browser is one of the most important  
applications on today's computers -- and a growing number of mobile  
devices -- it will likely remain a focal point for attacks and  
security researchers, but that comes with the territory."
Read the full article here: <http://www.pcworld.in/news/index.jsp/ 
artId=5177367>

While IS&T doesn't officially support Firefox 2.0 yet, we do  
recommend users at MIT take the updates and patches as they are  
released. Approximately a third of the MIT community uses Firefox as  
its default browser. It is also the default browser on Athena.


----------------------------------
2. Security Trends of 2007
----------------------------------

What should we be on the look out for this coming year? IBM Internet  
Security Systems (ISS) predicts security trends of 2007. Among them:

- Internet Explorer (IE) will continue to provide a trove of  
vulnerabilities, while browser attacks increase
- More spam will be image-based
- Close to 90 percent of new vulnerabilities this year will be  
remotely exploitable
- Malware purveyors will organize themselves into more efficient  
networks resulting in the development of "exploits-as-a-service"  
industry and the rise of customized attacks.

While it's difficult to say what attackers will come up with next, it  
is safe to say that they are often more cutting edge and organized  
than the people combatting them. Attackers will remain one step ahead  
because of the lucrative field they're in, now providing greater  
proceeds than from the sale of illegal drugs. In addition, only about  
5% of cyber criminals are caught and prosecuted. As long as there's  
profit to be made from these attacks and criminals continue to get  
away with it, this trend will continue.


--------------------------------------------------------
3. Tip: Remain Cautious of Phishing Attacks
--------------------------------------------------------

In addition to the security trends from IBM mentioned above, we  
should also still remain vigilant when receiving unsolicited email  
that could be potential phishing email. Report phishing incidents by  
referring to OnGuard Online <www.onguardonline.gov> a site with  
practical tips from the federal government and the technology  
industry. One tip they offer is to forward any spam you receive that  
is phishing for information to spam at uce.gov and to the company, bank  
or organization impersonated in the phishing email. There are several  
Web sites to help you learn what constitutes a phishing email. To  
test your phishing IQ, you can visit: <http://www.sonicwall.com/ 
phishing/>.

If you have any questions, please contact IT Security at  
security at mit.edu.

Monique

More information about the ist-security-fyi mailing list