[IS&T Security-FYI] SFYI Newsletter, August 10, 2009

[Monique Yeaton]

In this issue:

1. August 2009 Security Patches
2. Twitter Knocked Offline
3. Event: SANS Institute in Providence, RI


-----------------------------------------
1. August 2009 Security Patches
-----------------------------------------

  ---- Microsoft ----

  Systems affected:

  * Microsoft Office
  * Microsoft Visual Studio
  * Windows 2000, XP, and Vista
  * Windows Server 2003 and 2008
  * Microsoft .NET Framework
  * Microsoft ISA and BizTalk Servers

As part of its monthly security bulletin release cycle, Microsoft will  
be releasing 9 updates on Tuesday, August 11, five of which are  
critical.

Read the advance notification in full here: <http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx 
 >


  ---- Apple ----

Systems affected:

  * Apple Mac OS X versions prior to and including 10.4.11 and 10.5.7
  * Apple Mac OS X Server versions prior to and including 10.4.11 and  
10.5.7

On August 5, Apple released security update 2009-003 / Mac OS X 10.5.8  
to address 18 security flaws, including seven that could be exploited  
to take control of vulnerable computers simply by manipulating users  
into viewing maliciously constructed images.  The flaws arise from  
uninitialized memory and pointer issues, and heap, stack, and integer  
overflow errors. The update also fixes code execution flaws in the  
operating system's kernel, login window and other components.

The update can be downloaded here: <http://support.apple.com/downloads/ 
 > or from Software Update.

Systems affected:

* iPhone 1.0 through 3.0

Apple also released an iPhone update for iPhone on the last day of  
July. The update fixes a critical security vulnerability involving the  
Short Message Service (SMS). Users of all iPhone versions (original,  
3G and 3GS) are urged to update their phones as soon as possible with  
iPhone update OX 3.0.1.

For instructions visit this page <http://www.apple.com/iphone/softwareupdate/ 
 > and click on the "Updating is easy. Learn how" link.


  ---- Mozilla ----

On August 3, Mozilla issued update 3.5.2 for Firefox to address a  
number of critical security flaws.  One of the vulnerabilities allows  
attackers to spoof SSL certificates. Other vulnerabilities addressed  
in the update include a memory corruption flaw, a heap overflow flaw  
and a privilege escalation flaw.  The SSL flaw also affects Mozilla's  
Thunderbird, SeaMonkey and NSS products; fixes for those products are  
likely to be available soon.

Users who have already upgraded to Firefox 3.5 are urged to upgrade to  
Firefox 3.5.2 as soon as possible. Both the release notes and the  
update can be found here: <http://www.mozilla.com/en-US/firefox/3.5.2/releasenotes/ 
 >.


---------------------------------
2. Twitter Knocked Offline
---------------------------------

Twitter is recovering from a distributed denial-of-service (DDoS) that  
occurred last Thursday.  The micro-blogging service was knocked  
offline for several hours.  At the time Twitter's status page read "As  
we recover [from the DDoS], users will experience some longer load  
times and slowness. This includes timeouts to API clients.  We're  
working to get back to 100% as quickly as we can." Facebook suffered  
problems from an apparent DDoS as well.

A denial-of-service occurs when a web server is overwhelmed with  
requests.  While most security experts dismiss DDoS attacks as just  
background noise on the internet, they could still be part of more  
insidious attacks, according to Tom Byrnes of ThreatStop, a network  
security company.

According to Wired Magazine, the ongoing attacks on Facebook and  
Twitter likely involve tens of thousands of compromised computers  
under the control of a single person or organization. The attack would  
involve asking the sites to serve up a page of search results, or some  
other processor-intensive request.

CNET says this attack is both personal and political, involving the  
continuing Russia/Georgia conflict. On Friday, a Georgian economics  
professor, who is an activist blogger and has a number of sites, says  
he was the intended target. He blamed the attack on the Russian  
government, which he says is trying to stifle his criticism of  
Russia's conduct in its war with Georgia.

Read the full story here: <http://www.wired.com/epicenter/2009/08/twitter-apparently-down/ 
 >


-----------------------------------------------------
3. Event: SANS Institute in Providence, RI
-----------------------------------------------------

Paul Asadoorian of Pauldotcom will teach Developer 542:  Web  
Application Penetration Testing and Ethical Hacking.  For complete  
course information and to register, visit <http://www.sans.org/info/46903 
 >.

When: Monday, October 5 - Saturday, October 10 (6 Day Course)
Where: Brown University, Providence RI
How Much: $3345 (Register by August 26 and save $350 on the tuition  
fee.)

Course description:
In this intermediate to advanced level class, you'll learn the art of  
exploiting Web applications so you can find flaws in your enterprise's  
Web apps before the bad guys do. Through detailed, hands-on exercises  
and training from a seasoned professional, Paul Asadoorian, you will  
be taught the four-step process for Web application penetration testing.

You will inject SQL into back-end databases, learning how attackers  
exfiltrate sensitive data. You will utilize Cross-Site Scripting  
attacks to dominate a target infrastructure in our unique hands-on  
laboratory environment.  And you will explore various other Web app  
vulnerabilities in depth with tried-and-true techniques for finding  
them using a structured testing regimen. You will learn the tools and  
methods of the attacker, so that you can be a powerful defender.

= 
= 
= 
========================================================================

Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB 
 >


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090810/c541e24b/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090810/c541e24b/attachment.bin