[IS&T Security-FYI] Newsletter, November 16, 2007
Monique Yeaton
myeaton at MIT.EDU
Fri Nov 16 12:21:13 EST 2007
In this issue:
1. November 2007 Security Patches
2. Unpatched Flaw in Firefox
3. Cyber Security in the News
4. Tip of the Week: Dangers of Social Networking
----------------------------------------------
1. November 2007 Security Patches
----------------------------------------------
Microsoft and Apple security updates were released earlier this
month. Here is a run-down of the products that were affected:
Microsoft:
* Microsoft Windows 2000 (no longer supported), XP
* Microsoft Windows Server 2003
On Patch Tuesday, Microsoft released two updates, one critical and
one important to address vulnerabilities that could allow remote code
execution and spoofing. The updates will require a restart. The
patches are now approved for deployment via MIT WAUS. See <http://
web.mit.edu/ist/topics/windows/updates/> for more information on
registering for MIT WAUS.
Learn more about this month's Microsoft security updates: <http://
www.microsoft.com/technet/security/bulletin/ms07-nov.mspx>
Note: Windows 2000 is no longer supported by Microsoft or MIT. A good
reason for upgrading from Windows 2000 to XP was brought to our
attention this week when another loophole was discovered in the
operating system, leaving it vulnerable to exposing emails, passwords
and other sensitive information. Read the story here: <http://
www.physorg.com/news114086937.html>
Apple:
* Apple Mac OS X version 10.3.x and 10.4.x
* Apple Mac OS X Server version 10.3.x and 10.4.x
The vulnerabilities affect both Intel and PowerPC Macs. Apple has
released Mac OS X 10.4.11 and Security Update 2007-008 to address
multiple vulnerabilities in products from other vendors that ship
with OS X or OS X Server, such as BIND, bzip2, Adobe Flash, and MIT
Kerberos. Learn more about this update: <http://docs.info.apple.com/
article.html?artnum=307041>
* Apple QuickTime versions prior to 7.3
Apple has released updated versions of its QuickTime media player for
Mac OS X and for Windows. The updates, version 7.3 in both cases,
address seven security flaws. All seven flaws could be exploited to
execute arbitrary code; one could be exploited to gain elevated
privileges. Learn more about this update: <http://docs.info.apple.com/
article.html?artnum=306896>
-------------------------------------
2. Unpatched Flaw in Firefox
-------------------------------------
Software affected:
* Mozilla Firefox versions 2.0.0.8 and prior
* Other Mozilla products, such as Thunderbird and SeaMonkey may
also be affected
Security watchers are concerned that a protocol handling flaw in
Firefox could have implications for the security of data held within
Google and, possibly, other web applications. A cross-site scripting
vulnerability in Firefox could be exploited to obtain users' login
credentials for websites. The problem lies in the implementation of
the jar protocol. While there is not a patch currently available for
the flaw, there are several workarounds, including blocking URIs that
contain "jar:". The "jar:" protocol is used to extract and render
content from ZIP compressed files. Secunia advises users to avoid
following untrusted "jar:" links or visiting untrusted web sites.
Read the full story: <http://www.theregister.co.uk/2007/11/12/
jar_vuln/print.html>
-------------------------------------
3. Cyber Security in the News
-------------------------------------
The U.S. government is looking more seriously at tightening and
improving cyber security programs. Several organizations are already
working on the issue of cyber security, including the Kerberos
consortium that kicked off in September (see the SFYI September 28,
2007 issue) and the MA Initiative to Combat Cyber Crime (see the SFYI
November 2, 2007 issue). The entire month of October is in fact
dedicated to National Cyber Security Awareness (also in the SFYI
September 28, 2007 issue).
Last week the Bush administration requested $154 million in funding
for new programs. The bulk would be put towards enhancing programs
already in place by US CERT (Computer Emergency Readiness Team) and
towards the Department of Justice to help FBI investigations. In
addition, the Government Accountability Office (GAO) director of
information technology and communications David Powner testified
before two House panels that the nation's infrastructure (the bulk of
which is owned by the private sector) lacks complete planning for
protection from cyber attacks. GAO recommended that the Department of
Homeland Security fully address the cyber security criteria by
September 2008. The private sector needs to not only improve its
plans but start implementing them, Powner said.
Read the full stories here at Federal Computer Week:
<http://www.fcw.com/online/news/150721-1.html?type=pf>
<http://www.fcw.com/online/news/150679-1.html?type=pf>
--------------------------------------------------------------
4. Tip of the Week: Dangers of Social Networking
--------------------------------------------------------------
Do you have a MySpace or Facebook profile? Have you searched or
posted classified ads on Craigslist or eBay? Do you share or view
photos and videos on sites like Flickr and YouTube? You probably do
one of the above or something like it. Social networking is huge and
is growing. While it provides a number of benefits for users, it can
also attract sexual predators and scam artists. Children are
especially vulnerable. The link to the article below warns of the
dangers and how to avoid becoming a victim.
<http://netsecurity.about.com/od/newsandeditoria2/a/socialpredators.htm>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list