[IS&T Security-FYI] SFYI Newsletter, October 17, 2008

Monique Yeaton myeaton at MIT.EDU
Fri Oct 17 12:52:25 EDT 2008 

In this issue:

1. October 2008 Security Updates
2. Clickjacking: The New Browser Exploit
3. Dangerous Celebrities in Cyberspace


-------------------------------------------
1. October 2008 Security Updates
-------------------------------------------

Microsoft and Apple have both released security updates this month.  
Below is a list of items affected:

-----Microsoft-----

  * Microsoft Windows
  * Microsoft Internet Explorer
  * Microsoft Office

Microsoft released 11 security updates on October 14. They include 4  
critical and 6 important updates and address various vulnerabilities a  
remote, unauthenticated attacker could use to execute arbitrary code  
or cause a vulnerable system to crash. Apply the updates from  
Microsoft via MIT WAUS or Microsoft Software Update.

For more information about these updates see:
<http://www.microsoft.com/technet/security/bulletin/MS08-Oct.mspx>

-----Apple-----

  * Mac OS X 10.4.11
  * Mac OS X 10.5.5

Apple released Security Update 2008-007 to address various  
vulnerabilities in the operating system and supported software. Bugs  
were found in items such as Apache, Certificates, Finder, and PHP. The  
updates can be obtained through Software Update or from the Apple  
Downloads page.

For more information about these updates see:
<http://support.apple.com/kb/HT1222?viewlocale=en_US>


---------------------------------------------------
2. Clickjacking: The New Browser Exploit
---------------------------------------------------

You may have heard this term bounced around recently. So what is it?  
"Clickjacking gives an attacker the ability to trick a user into  
clicking on something only barely or momentarily noticeable.  
Therefore, if a user clicks on a Web page, they may actually be  
clicking on content from another page," according to Jeremiah Grossman  
of WhiteHat Security.

More details can be found at Grossman's blog. As he points out, this  
vulnerability can be used to eavesdrop on peoples' conversations using  
their PC microphones, which could have ramifications for industrial  
espionage and national security.

Clickjacking encompasses a range of attack techniques and affects a  
variety of browsers and plug-ins like Adobe Flash Player. Adobe issued  
a security advisory that describes a way to mitigate the risk faced by  
those with Adobe Flash Player installed -- almost everyone online. The  
advisory applies to Adobe Flash Player 9.0 and earlier.

Adobe recommends setting the "Always deny" button in the Global  
Privacy Settings panel of the Adobe Flash Player settings. The company  
is also working on an update to its Flash Player software that will  
address the vulnerability.

How to defend against clickjacking? "Put tape over your camera,  
disable your microphone, install NoScript, and/or disable your plug- 
ins," advises Grossman, even as he concedes few users will be willing  
to lose access to YouTube and Flash games as a result.

To read the full story: <http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=210800544 
 >

Grossman's blog: <http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html 
 >


--------------------------------------------------
3. Dangerous Celebrities in Cyberspace
--------------------------------------------------

McAfee, the same company who produces the VirusScan software supported  
by MIT, released a report this year on who the most dangerous  
celebrities are to seek on the Internet.

Brad Pitt, Justin Timberlake, Beyonce, and Heidi Montag top the  
current list. Checking in on your famous friends is not only a guilty  
pleasure, but seriously dangerous for your PC. Fans searching for  
"Brad Pitt," "Brad Pitt downloads," and Brad Pitt wallpaper, screen  
savers and pictures have an 18% chance of having their PCs infected  
with online threats, such as spyware, spam, phishing, adware, viruses  
and other malware.

Cybercriminals are using A-listers' names and images to lure Internet  
users who surf the Web for the latest gossip, screen savers and  
ringtones to "fake" Web sites that look legitimate. By tapping into  
Americans' obsession with following celebrities' lifestyles,  
cybercriminals can trick consumers into infecting themselves.

If you must stay updated on your favorite celebs, I suggest you use a  
browser that warns you when you are accessing an infected site and do  
not ignore the warnings that pop up when a file is attempting to  
download.

To read the full story: <http://www.cioupdate.com/research/article.php/3772261 
 >

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Come to Security Awareness Day at MIT!: November 5, 2 - 5 PM, in  
Bartos Theater (E15-070) and Lobby http://web.mit.edu/ist/topics/security/campaign2008/securityday.html




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20081017/c4112b87/attachment.htm

More information about the ist-security-fyi mailing list