[IS&T Security-FYI] Newsletter, July 11, 2008

Monique Yeaton myeaton at MIT.EDU
Fri Jul 11 12:56:53 EDT 2008 

In this issue:

1. Software Bugs and Fixes
2. Get Smart: Virtualization Security Summit 2008
3. Tip of the Week: Traveling with Laptop is Risky

-----------------------------------
1. Software Bugs and Fixes
-----------------------------------

***FIXES***

Microsoft and Apple have both released updates this month. Below is a  
list of items affected:

----Microsoft-----

  * Microsoft Windows XP and Vista
  * Microsoft Windows Server 2003
  * Microsoft SQL Server
  * Microsoft Outlook Web Access

As part of the Microsoft Security Bulletin for this month, the company  
has released 4 important but no critical updates on July 8 that  
address various vulnerabilities a remote, unauthenticated attacker  
could use to execute arbitrary code or cause a vulnerable system to  
crash. Apply the updates from Microsoft via MIT WAUS or Microsoft  
software update.

For more information about these updates see:
<http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx>

----Apple----

* Apple Mac OS X 10.5 through 10.5.3

Apple has released Mac OS X 10.5.4. It includes general operating  
system improvements that enhance the stability, compatibility, and  
security of your Mac. Specifically, it includes some new features for  
AirPort, iCal, Safari, and Spaces as well as some support for third- 
party software.

This and other updates for Mac OS X are available via Apple Update.  
You can also obtain the update from the Apple web site: <http://www.apple.com/support/downloads/ 
 >

***BUGS***

----Microsoft-----

Microsoft announced an unpatched Office Snapshot Viewer ActiveX  
Vulnerability this week. Systems affected:

  * Microsoft Office Access 2000
  * Microsoft Office Access XP
  * Microsoft Office Access 2003
  * Microsoft Office Snapshot Viewer

Microsoft has released Security Advisory (955179) to describe attacks  
on a vulnerability in the Microsoft Office Snapshot Viewer ActiveX  
control. Because no fix is currently available for this vulnerability,  
please see the Security Advisory and US-CERT Vulnerability Note  
VU#837785 for workarounds.

The most effective workaround for this vulnerability is to set kill  
bits for the Snapshot Viewer ActiveX control, as outlined in the  
documents noted above. Other workarounds include disabling ActiveX,  
and upgrading to Internet Explorer 7, which can help mitigate the  
vulnerability with its ActiveX opt-in feature.

US-CERT Vulnerability Note VU#837785
<http://www.kb.cert.org/vuls/id/837785>

Microsoft Security Advisory (955179)
<http://www.microsoft.com/technet/security/advisory/955179.mspx>

-----------------------------------------------------------------------
2. Get Smart: SANS Virtualization Security Summit 2008
-----------------------------------------------------------------------

With all of its unquestionable benefits, virtualization brings with it  
both old and new security issues.  Join Tom Liston (one the nation's  
top virtual security gurus), and other virtualization experts, users,  
and vendors in Washington, DC on August 7-8, and hear how to get the  
most out of your Virtualization Security strategies.

This technical conference features highly interactive sessions and  
experts and users who share lessons learned from the trenches. The  
goal is to help you learn from their mistakes and from their  
discoveries, and at the same time discuss the latest processes and  
technologies. Get answers to these questions and more...

  * What's all the fuss about? Are there real vulnerabilities in  
virtual systems?
  * What are the economic and flexibility payoffs from going virtual?  
How can they be validated and quantified?
  * Which of the four leading virtual platforms provides the most  
security today?
  * How can application virtualization be used to harden my desktops?
  * Application virtualization vs. Desktop virtualization: Costs and  
benefits?

Who Should Attend?

  * Security managers whose responsibility includes virtualized  
environments
  * Managers responsible for leading the roll-out of virtualization  
within an enterprise
  * Consultants whose clients are considering virtualizing portions of  
their infrastructure
  * Desktop application managers who are looking for innovative ways  
to protect end users from attack
  * Virtualization resellers or consultants looking to broaden their  
understanding of how to best help their clients secure their  
infrastructure

To register go to: <http://www.sans.org/info/30333>


--------------------------------------------------------------
3. Tip of the Week: Traveling with Laptop is Risky
--------------------------------------------------------------

Every week, thousands of laptops are lost in airports around the  
country. While more users turn to laptops as their primary PC, the  
risk of losing data on their hard drives has greatly increased, as has  
the possibility of having the hard drive damaged while traveling.

While computer use has changed, one study found that people are not  
adjusting to these new risks. A study conducted by the Ponemon  
Institute showed that many travelers do not back up their data or use  
encryption to protect what has been downloaded to the laptop. Many  
vacationers like to take along their laptops to get some extra work  
done or to download or upload photos while away from home. However,  
this mobility is putting companies and individuals at risk of having a  
data breach if a laptop containing sensitive information is lost or  
stolen.

Some vendors are offering new services to track and recover their  
laptops. Dell, Lenovo and other PC vendors are  offering services for  
their business laptops that will not only track stolen or missing  
notebooks, but also offer a range of security features that can  
remotely erase company data from the hard drive.

If you are traveling with your laptop this summer, you may want to see  
what the laptop's vendor or what other businesses are offering for  
security features. Even better, if you don't need the data on the  
computer while you are away, don't leave it on there. Back the data up  
and leave it at home, then erase all traces of the data from the  
laptop using safe erasing methods.

Article about laptop losses in airports:
<http://www.darkreading.com/document.asp?doc_id=158099&f_src=drdaily>

Traveling with Laptop Resource Guide:
<http://web.mit.edu/ist/topics/network/travel.html>

Data Erasing Guidelines:
<http://web.mit.edu/ist/topics/security/media_sanitizing.html#3>


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list