[IS&T Security-FYI] SFYI Newsletter, October 17, 2008
Monique Yeaton
myeaton at MIT.EDU
Fri Oct 17 12:52:25 EDT 2008
In this issue:
1. October 2008 Security Updates
2. Clickjacking: The New Browser Exploit
3. Dangerous Celebrities in Cyberspace
-------------------------------------------
1. October 2008 Security Updates
-------------------------------------------
Microsoft and Apple have both released security updates this month.
Below is a list of items affected:
-----Microsoft-----
* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Office
Microsoft released 11 security updates on October 14. They include 4
critical and 6 important updates and address various vulnerabilities a
remote, unauthenticated attacker could use to execute arbitrary code
or cause a vulnerable system to crash. Apply the updates from
Microsoft via MIT WAUS or Microsoft Software Update.
For more information about these updates see:
<http://www.microsoft.com/technet/security/bulletin/MS08-Oct.mspx>
-----Apple-----
* Mac OS X 10.4.11
* Mac OS X 10.5.5
Apple released Security Update 2008-007 to address various
vulnerabilities in the operating system and supported software. Bugs
were found in items such as Apache, Certificates, Finder, and PHP. The
updates can be obtained through Software Update or from the Apple
Downloads page.
For more information about these updates see:
<http://support.apple.com/kb/HT1222?viewlocale=en_US>
---------------------------------------------------
2. Clickjacking: The New Browser Exploit
---------------------------------------------------
You may have heard this term bounced around recently. So what is it?
"Clickjacking gives an attacker the ability to trick a user into
clicking on something only barely or momentarily noticeable.
Therefore, if a user clicks on a Web page, they may actually be
clicking on content from another page," according to Jeremiah Grossman
of WhiteHat Security.
More details can be found at Grossman's blog. As he points out, this
vulnerability can be used to eavesdrop on peoples' conversations using
their PC microphones, which could have ramifications for industrial
espionage and national security.
Clickjacking encompasses a range of attack techniques and affects a
variety of browsers and plug-ins like Adobe Flash Player. Adobe issued
a security advisory that describes a way to mitigate the risk faced by
those with Adobe Flash Player installed -- almost everyone online. The
advisory applies to Adobe Flash Player 9.0 and earlier.
Adobe recommends setting the "Always deny" button in the Global
Privacy Settings panel of the Adobe Flash Player settings. The company
is also working on an update to its Flash Player software that will
address the vulnerability.
How to defend against clickjacking? "Put tape over your camera,
disable your microphone, install NoScript, and/or disable your plug-
ins," advises Grossman, even as he concedes few users will be willing
to lose access to YouTube and Flash games as a result.
To read the full story: <http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=210800544
>
Grossman's blog: <http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html
>
--------------------------------------------------
3. Dangerous Celebrities in Cyberspace
--------------------------------------------------
McAfee, the same company who produces the VirusScan software supported
by MIT, released a report this year on who the most dangerous
celebrities are to seek on the Internet.
Brad Pitt, Justin Timberlake, Beyonce, and Heidi Montag top the
current list. Checking in on your famous friends is not only a guilty
pleasure, but seriously dangerous for your PC. Fans searching for
"Brad Pitt," "Brad Pitt downloads," and Brad Pitt wallpaper, screen
savers and pictures have an 18% chance of having their PCs infected
with online threats, such as spyware, spam, phishing, adware, viruses
and other malware.
Cybercriminals are using A-listers' names and images to lure Internet
users who surf the Web for the latest gossip, screen savers and
ringtones to "fake" Web sites that look legitimate. By tapping into
Americans' obsession with following celebrities' lifestyles,
cybercriminals can trick consumers into infecting themselves.
If you must stay updated on your favorite celebs, I suggest you use a
browser that warns you when you are accessing an infected site and do
not ignore the warnings that pop up when a file is attempting to
download.
To read the full story: <http://www.cioupdate.com/research/article.php/3772261
>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
---------------------------------------
Come to Security Awareness Day at MIT!: November 5, 2 - 5 PM, in
Bartos Theater (E15-070) and Lobby http://web.mit.edu/ist/topics/security/campaign2008/securityday.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20081017/c4112b87/attachment.htm
More information about the ist-security-fyi
mailing list