[IS&T Security-FYI] Newsletter, October 12, 2007
Monique Yeaton
myeaton at MIT.EDU
Fri Oct 12 11:23:59 EDT 2007
In this issue:
1. October 2007 Security Patches
2. Top Ten Reasons Why People Don't Have Better Computer Security
3. Tip of the Week: Combat Bluetooth Blues
-------------------------------------------
1. October 2007 Security Patches
-------------------------------------------
Microsoft and Apple security updates were released earlier this
month. Adobe also released a security advisory and two Linux
vulnerabilities have also been found in the past couple weeks. Here
is a run-down of the products that were affected.
Microsoft:
* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Outlook Express and Windows Mail
* Microsoft Office
* Microsoft Office for Mac
* Microsoft SharePoint
Microsoft released six security updates on Patch Tuesday that address
vulnerabilities in several products. Four of these were critical.
Exploitation of these vulnerabilities could allow a remote,
unauthenticated attacker to execute arbitrary code or cause a denial
of service on a vulnerable system.
The patches are now approved for deployment via MIT WAUS. See <http://
web.mit.edu/ist/topics/windows/updates/> for more information on
registering for MIT WAUS.
Learn more about this month's Microsoft security updates: <http://
www.microsoft.com/protect/computer/updates/bulletins/200710.mspx>
Apple:
* iPhone 1.1.1
* QuickTime 4.2 for Windows Vista, XP, SP2
Apple has released iPhone update 1.1.1 for 10 vulnerabilities found
in Bluetooth, Mail and Safari as well as providing additional
features. The vulnerabilities could be exploited to execute arbitrary
code, cause denial-of-service conditions, or gain access to private
data.
This download warns that if you have modified or unlocked your phone,
applying this patch may render the phone useless. There are reports
that the update causes problems with unmodified phones as well. Due
to these issues, you may be better off waiting to upgrade.
*** MIT's IS&T Help Desk does not current offer support for the
iPhone. ***
Learn more about the iPhone update: <http://docs.info.apple.com/
article.html?artnum=306586>
The QuickTime update addresses an issue in QuickTime's handling of
URLs in QuickTime Link (QTL) files. This issue does not affect Mac OS
X. The update can be obtained from the Software Update application or
from the Apple Downloads site <http://www.apple.com/support/downloads/>
Adobe:
* Adobe Reader and Acrobat 8.1 and earlier
This vulnerability only affects Windows XP users with IE 7 installed.
There is currently a workaround solution suggested: <http://
www.adobe.com/support/security/advisories/apsa07-04.html>
Linux:
* rPath rMake
* Linux Kernel HugeLBT
Note to Linux users: Vulnerabilities in products that run on Linux
are often not listed in one particular report. Subscribe to the Red
Hat watch list to get new security advisories for Red Hat products:
<http://www.redhat.com/security/updates/advisory/> or subscribe to
the SANS @Risk Consensus Security Vulnerability Alert (released
weekly): <http://www.sans.org/newsletters/risk/>. The SANS alert
includes vulnerabilities in all products, not just those that run on
Linux.
------------------------------------------------------------------------
------------------
2. Top Ten Reasons Why People Don't Have Better Computer Security
------------------------------------------------------------------------
------------------
If you haven't experienced a data breach or computer security problem
yet, you can assume your computer is already safe, but do you take
the time to confirm this? Are you relying too heavily on security
technology and not modifying your computing behavior? These are the
top 10 reasons people give for not taking security measures:
10. I don't have anything important on my computer.
9. My computer is brand new. It came with all the security stuff
on it.
8. My IT department takes care of everything, so I don't have to
worry about it.
7. I'm positive my anti-virus program is working, and it will
take care of the worst stuff.
6. I have a hardware firewall; nobody can get into my computer.
5 Anti-virus and anti-spyware programs slow my computer down too
much.
4. I only open attachments from people I know.
3. I don't use the same password for all of my files.
2. Who is going to break into MY computer? and
1. I'm planning to install all the security stuff as soon as I get
caught up on my work.
-------------------------------------------------------
3. Tip of the Week: Combat Bluetooth Blues
-------------------------------------------------------
You've heard about Bluetooth. But how about Bluejacking,
Bluesnarfing, and Bluebugging? A study by research firm
InsightExpress has revealed that 73% of mobile device users are not
acquainted with security issues that could put mobile devices such as
cellphones and Bluetooth-equipped notebooks at risk.
Bluejacking, also known as bluespamming, is a technique used to send
anonymous text messages to mobile users via Bluetooth. Bluesnarfing,
a more dangerous technique, can allow a hacker to access information
stored on a mobile device without its user's knowledge. Possibly the
most serious of the three risks is bluebugging. This technique allows
attackers to access mobile-phone commands using Bluetooth technology,
without notifying or alerting the device owner, and initiate phone
calls, send and receive text messages, read and write phonebook
contacts, eavesdrop on phone conversations, and connect to the Internet.
Ways to combat these risks:
- Stay offline: turn off features you are not using
- Stay invisible: set the device's visibility to "hidden"
- Verify incoming transmissions: do not accept attachments from
unknown sources
- Use passwords: set one with a large number of digits
For more information: <http://www.news.com/Symantec-warns-users-over-
Bluetooth-security/2100-1029_3-6209361.html?tag=cd.lede>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list