[IS&T Security-FYI] Newsletter, July 11, 2008
Monique Yeaton
myeaton at MIT.EDU
Fri Jul 11 12:56:53 EDT 2008
In this issue:
1. Software Bugs and Fixes
2. Get Smart: Virtualization Security Summit 2008
3. Tip of the Week: Traveling with Laptop is Risky
-----------------------------------
1. Software Bugs and Fixes
-----------------------------------
***FIXES***
Microsoft and Apple have both released updates this month. Below is a
list of items affected:
----Microsoft-----
* Microsoft Windows XP and Vista
* Microsoft Windows Server 2003
* Microsoft SQL Server
* Microsoft Outlook Web Access
As part of the Microsoft Security Bulletin for this month, the company
has released 4 important but no critical updates on July 8 that
address various vulnerabilities a remote, unauthenticated attacker
could use to execute arbitrary code or cause a vulnerable system to
crash. Apply the updates from Microsoft via MIT WAUS or Microsoft
software update.
For more information about these updates see:
<http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx>
----Apple----
* Apple Mac OS X 10.5 through 10.5.3
Apple has released Mac OS X 10.5.4. It includes general operating
system improvements that enhance the stability, compatibility, and
security of your Mac. Specifically, it includes some new features for
AirPort, iCal, Safari, and Spaces as well as some support for third-
party software.
This and other updates for Mac OS X are available via Apple Update.
You can also obtain the update from the Apple web site: <http://www.apple.com/support/downloads/
>
***BUGS***
----Microsoft-----
Microsoft announced an unpatched Office Snapshot Viewer ActiveX
Vulnerability this week. Systems affected:
* Microsoft Office Access 2000
* Microsoft Office Access XP
* Microsoft Office Access 2003
* Microsoft Office Snapshot Viewer
Microsoft has released Security Advisory (955179) to describe attacks
on a vulnerability in the Microsoft Office Snapshot Viewer ActiveX
control. Because no fix is currently available for this vulnerability,
please see the Security Advisory and US-CERT Vulnerability Note
VU#837785 for workarounds.
The most effective workaround for this vulnerability is to set kill
bits for the Snapshot Viewer ActiveX control, as outlined in the
documents noted above. Other workarounds include disabling ActiveX,
and upgrading to Internet Explorer 7, which can help mitigate the
vulnerability with its ActiveX opt-in feature.
US-CERT Vulnerability Note VU#837785
<http://www.kb.cert.org/vuls/id/837785>
Microsoft Security Advisory (955179)
<http://www.microsoft.com/technet/security/advisory/955179.mspx>
-----------------------------------------------------------------------
2. Get Smart: SANS Virtualization Security Summit 2008
-----------------------------------------------------------------------
With all of its unquestionable benefits, virtualization brings with it
both old and new security issues. Join Tom Liston (one the nation's
top virtual security gurus), and other virtualization experts, users,
and vendors in Washington, DC on August 7-8, and hear how to get the
most out of your Virtualization Security strategies.
This technical conference features highly interactive sessions and
experts and users who share lessons learned from the trenches. The
goal is to help you learn from their mistakes and from their
discoveries, and at the same time discuss the latest processes and
technologies. Get answers to these questions and more...
* What's all the fuss about? Are there real vulnerabilities in
virtual systems?
* What are the economic and flexibility payoffs from going virtual?
How can they be validated and quantified?
* Which of the four leading virtual platforms provides the most
security today?
* How can application virtualization be used to harden my desktops?
* Application virtualization vs. Desktop virtualization: Costs and
benefits?
Who Should Attend?
* Security managers whose responsibility includes virtualized
environments
* Managers responsible for leading the roll-out of virtualization
within an enterprise
* Consultants whose clients are considering virtualizing portions of
their infrastructure
* Desktop application managers who are looking for innovative ways
to protect end users from attack
* Virtualization resellers or consultants looking to broaden their
understanding of how to best help their clients secure their
infrastructure
To register go to: <http://www.sans.org/info/30333>
--------------------------------------------------------------
3. Tip of the Week: Traveling with Laptop is Risky
--------------------------------------------------------------
Every week, thousands of laptops are lost in airports around the
country. While more users turn to laptops as their primary PC, the
risk of losing data on their hard drives has greatly increased, as has
the possibility of having the hard drive damaged while traveling.
While computer use has changed, one study found that people are not
adjusting to these new risks. A study conducted by the Ponemon
Institute showed that many travelers do not back up their data or use
encryption to protect what has been downloaded to the laptop. Many
vacationers like to take along their laptops to get some extra work
done or to download or upload photos while away from home. However,
this mobility is putting companies and individuals at risk of having a
data breach if a laptop containing sensitive information is lost or
stolen.
Some vendors are offering new services to track and recover their
laptops. Dell, Lenovo and other PC vendors are offering services for
their business laptops that will not only track stolen or missing
notebooks, but also offer a range of security features that can
remotely erase company data from the hard drive.
If you are traveling with your laptop this summer, you may want to see
what the laptop's vendor or what other businesses are offering for
security features. Even better, if you don't need the data on the
computer while you are away, don't leave it on there. Back the data up
and leave it at home, then erase all traces of the data from the
laptop using safe erasing methods.
Article about laptop losses in airports:
<http://www.darkreading.com/document.asp?doc_id=158099&f_src=drdaily>
Traveling with Laptop Resource Guide:
<http://web.mit.edu/ist/topics/network/travel.html>
Data Erasing Guidelines:
<http://web.mit.edu/ist/topics/security/media_sanitizing.html#3>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list