[IS&T Security-FYI] Newsletter, November 16, 2007

Fri Nov 16 12:21:13 EST 2007

In this issue:

1. November 2007 Security Patches
2. Unpatched Flaw in Firefox
3. Cyber Security in the News
4. Tip of the Week: Dangers of Social Networking

----------------------------------------------
1. November 2007 Security Patches
----------------------------------------------

Microsoft and Apple security updates were released earlier this  
month. Here is a run-down of the products that were affected:

Microsoft:

  * Microsoft Windows 2000 (no longer supported), XP
  * Microsoft Windows Server 2003

On Patch Tuesday, Microsoft released two updates, one critical and  
one important to address vulnerabilities that could allow remote code  
execution and spoofing. The updates will require a restart. The  
patches are now approved for deployment via MIT WAUS. See <http:// 
web.mit.edu/ist/topics/windows/updates/> for more information on  
registering for MIT WAUS.

Learn more about this month's Microsoft security updates: <http:// 
www.microsoft.com/technet/security/bulletin/ms07-nov.mspx>

Note: Windows 2000 is no longer supported by Microsoft or MIT. A good  
reason for upgrading from Windows 2000 to XP was brought to our  
attention this week when another loophole was discovered in the  
operating system, leaving it vulnerable to exposing emails, passwords  
and other sensitive information. Read the story here: <http:// 
www.physorg.com/news114086937.html>

Apple:

  * Apple Mac OS X version 10.3.x and 10.4.x
  * Apple Mac OS X Server version 10.3.x and 10.4.x

The vulnerabilities affect both Intel and PowerPC Macs. Apple has  
released Mac OS X 10.4.11 and Security Update 2007-008 to address  
multiple vulnerabilities in products from other vendors that ship  
with OS X or OS X Server, such as BIND, bzip2, Adobe Flash, and MIT  
Kerberos. Learn more about this update: <http://docs.info.apple.com/ 
article.html?artnum=307041>

  * Apple QuickTime versions prior to 7.3

Apple has released updated versions of its QuickTime media player for  
Mac OS X and for Windows.  The updates, version 7.3 in both cases,  
address seven security flaws. All seven flaws could be exploited to  
execute arbitrary code; one could be exploited to gain elevated  
privileges. Learn more about this update: <http://docs.info.apple.com/ 
article.html?artnum=306896>

-------------------------------------
2. Unpatched Flaw in Firefox
-------------------------------------

Software affected:

  * Mozilla Firefox versions 2.0.0.8 and prior
  * Other Mozilla products, such as Thunderbird and SeaMonkey may  
also be affected

Security watchers are concerned that a protocol handling flaw in  
Firefox could have implications for the security of data held within  
Google and, possibly, other web applications. A cross-site scripting  
vulnerability in Firefox could be exploited to obtain users' login  
credentials for websites.  The problem lies in the implementation of  
the jar protocol.  While there is not a patch currently available for  
the flaw, there are several workarounds, including blocking URIs that  
contain "jar:".  The "jar:" protocol is used to extract and render  
content from ZIP compressed files. Secunia advises users to avoid  
following untrusted "jar:" links or visiting untrusted web sites.

Read the full story: <http://www.theregister.co.uk/2007/11/12/ 
jar_vuln/print.html>

-------------------------------------
3. Cyber Security in the News
-------------------------------------

The U.S. government is looking more seriously at tightening and  
improving cyber security programs. Several organizations are already  
working on the issue of cyber security, including the Kerberos  
consortium that kicked off in September (see the SFYI September 28,  
2007 issue) and the MA Initiative to Combat Cyber Crime (see the SFYI  
November 2, 2007 issue). The entire month of October is in fact  
dedicated to National Cyber Security Awareness (also in the SFYI  
September 28, 2007 issue).

Last week the Bush administration requested $154 million in funding  
for new programs. The bulk would be put towards enhancing programs  
already in place by US CERT (Computer Emergency Readiness Team) and  
towards the Department of Justice to help FBI investigations. In  
addition, the Government Accountability Office (GAO) director of  
information technology and communications David Powner testified  
before two House panels that the nation's infrastructure (the bulk of  
which is owned by the private sector) lacks complete planning for  
protection from cyber attacks. GAO recommended that the Department of  
Homeland Security fully address the cyber security criteria by  
September 2008. The private sector needs to not only improve its  
plans but start implementing them, Powner said.

Read the full stories here at Federal Computer Week:
<http://www.fcw.com/online/news/150721-1.html?type=pf>
<http://www.fcw.com/online/news/150679-1.html?type=pf>

--------------------------------------------------------------
4. Tip of the Week: Dangers of Social Networking
--------------------------------------------------------------

Do you have a MySpace or Facebook profile? Have you searched or  
posted classified ads on Craigslist or eBay? Do you share or view  
photos and videos on sites like Flickr and YouTube? You probably do  
one of the above or something like it. Social networking is huge and  
is growing. While it provides a number of benefits for users, it can  
also attract sexual predators and scam artists. Children are  
especially vulnerable. The link to the article below warns of the  
dangers and how to avoid becoming a victim.

<http://netsecurity.about.com/od/newsandeditoria2/a/socialpredators.htm>

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security