[IS&T Security-FYI] Newsletter, April 11, 2008

Fri Apr 11 11:45:58 EDT 2008

In this issue:

1. April 2008 Security Updates
2. Looking at Universities to Fix Vulnerabilities in Software
3. Tip of the Week: Browsing Safely Using IE7

--------------------------------------
1. April 2008 Security Updates
--------------------------------------

This month so far has seen a variety of software security patches  
from Microsoft, Apple, and Adobe. Here is a run-down of the products  
that were affected:

----Microsoft----

  * All supported versions of Windows
  * Microsoft Office Project
  * Microsoft Office Visio
  * Internet Explorer 6 and 7

The Security Bulletin from Microsoft released on April 8 included  
five critical and three important patches for the Windows operating  
system and Office products. These patches are now approved for  
deployment via MIT WAUS.

The most severe vulnerabilities could allow a remote, unauthenticated  
attacker to execute arbitrary code, gain elevated privileges, or  
cause a denial of service.

For more information on these patches:
<http://www.microsoft.com/technet/security/bulletin/ms08-Apr.mspx>

----Apple----

  * Apple Mac OS X running versions of QuickTime prior to 7.4.5
  * Microsoft Windows running versions of QuickTime prior to 7.4.5

Apple QuickTime versions prior to 7.4.5 have vulnerabilities in the  
way different types of image and media files are handled. An attacker  
could exploit these vulnerabilities by convincing a user to access a  
specially crafted image or media file that could be hosted on a web  
page. Note that Apple iTunes installs QuickTime, so any system with  
iTunes may be vulnerable.

The suggested solution is to upgrade to QuickTime 7.4.5. This and  
other updates for Mac OS X are available via Apple Update. You can  
also obtain the update from Apple here:
<http://www.apple.com/quicktime/download/>

----Adobe----

  * Adobe Flash Player 9.0.115.0 and earlier
  * Adobe Flash Player 8.0.39.0 and earlier

Adobe Security Advisory APSB08-011 addresses a number of  
vulnerabilities affecting the Adobe Flash player. The Adobe Flash  
browser plugin is available for multiple web browsers and operating  
systems, any of which could be affected.

An attacker could exploit these vulnerabilities by convincing a user  
to visit a website that hosts a specially crafted SWF file. The  
impact of these vulnerabilities vary. The most severe could allow a  
remote attacker to execute arbitrary code or conduct cross-site  
scripting attacks.

Check with your operating system vendor for patches or updates. If  
you get the flash player from Adobe, see the Adobe Get Flash page for  
information about updates:
<http://www.adobe.com/go/getflash>.

You can verify which Flash Player version you have installed by going  
to the About Flash Player page:
<http://www.macromedia.com/software/flash/about/index.html>

------------------------------------------------------------------------ 
-
2. Looking at Universities to Fix Vulnerabilities in Software
------------------------------------------------------------------------ 
-

Universities and colleges have an important role to play in making  
sure coders follow secure coding practices when working on software  
products, according to software vendors. This is because many vendors  
hire their coders straight from the schools which have CS (Computer  
Science) departments. Vendors such as Oracle are finding that they  
need to train their newly hired programmers in secure coding 101,  
which is a costly and time-consuming process. Vendors question why  
these recent graduates don't already have this type of skill under  
their belt. As Oracle and other vendors point out, the impact to  
vendors and their customers when avoidable and preventable security  
defects make it into commercial software products is a national  
security problem.

Oracle's Chief Information Security Officer, Mary Ann Davidson,  
posted a blog heralding an important first step in improving secure  
coding education in US colleges and universities. The good news is  
that the GSSP (GIAC Secure Software Programmer) certification exam  
offered by SANS <www.sans.org/gssp> is now ready and available. In  
response to this effort, faculty from many colleges are meeting to  
agree on exercises and other tools for embedding security in existing  
CS and programming courses. These schools could become leaders in  
helping programmers write code with fewer security flaws.

Read Mary Ann Davidson's blog here:
<http://blogs.oracle.com/maryanndavidson/>

----------------------------------------------------------
3. Tip of the Week: Browsing Safely Using IE7
----------------------------------------------------------

To continue the conversation on safe browsing that started a few  
weeks ago in this newsletter, let's look more closely at some of the  
features in the browsers we use that can make surfing the Web safer  
and easier. This week we'll look at Internet Explorer 7 by Microsoft  
and in upcoming newsletter issues we'll look at some of the other  
browsers we might use.

The following useful article was posted a few months ago in the  
"is&t" newsletter on safety features in IE7. If you haven't read it  
through yet, I suggest you review it now in light of the growing  
popularity of attacks via the Internet:
<http://web.mit.edu/ist/isnews/v22/n02/220208.html>

Additional security tips for Internet Explorer users can be found  
online at About.com:
<http://netsecurity.about.com/cs/tutorials/ht/ht020203.htm?nl=1>

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security