[IS&T Security-FYI] SFYI Newsletter, August 10, 2009
Monique Yeaton
myeaton at MIT.EDU
Mon Aug 10 13:00:58 EDT 2009
In this issue:
1. August 2009 Security Patches
2. Twitter Knocked Offline
3. Event: SANS Institute in Providence, RI
-----------------------------------------
1. August 2009 Security Patches
-----------------------------------------
---- Microsoft ----
Systems affected:
* Microsoft Office
* Microsoft Visual Studio
* Windows 2000, XP, and Vista
* Windows Server 2003 and 2008
* Microsoft .NET Framework
* Microsoft ISA and BizTalk Servers
As part of its monthly security bulletin release cycle, Microsoft will
be releasing 9 updates on Tuesday, August 11, five of which are
critical.
Read the advance notification in full here: <http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx
>
---- Apple ----
Systems affected:
* Apple Mac OS X versions prior to and including 10.4.11 and 10.5.7
* Apple Mac OS X Server versions prior to and including 10.4.11 and
10.5.7
On August 5, Apple released security update 2009-003 / Mac OS X 10.5.8
to address 18 security flaws, including seven that could be exploited
to take control of vulnerable computers simply by manipulating users
into viewing maliciously constructed images. The flaws arise from
uninitialized memory and pointer issues, and heap, stack, and integer
overflow errors. The update also fixes code execution flaws in the
operating system's kernel, login window and other components.
The update can be downloaded here: <http://support.apple.com/downloads/
> or from Software Update.
Systems affected:
* iPhone 1.0 through 3.0
Apple also released an iPhone update for iPhone on the last day of
July. The update fixes a critical security vulnerability involving the
Short Message Service (SMS). Users of all iPhone versions (original,
3G and 3GS) are urged to update their phones as soon as possible with
iPhone update OX 3.0.1.
For instructions visit this page <http://www.apple.com/iphone/softwareupdate/
> and click on the "Updating is easy. Learn how" link.
---- Mozilla ----
On August 3, Mozilla issued update 3.5.2 for Firefox to address a
number of critical security flaws. One of the vulnerabilities allows
attackers to spoof SSL certificates. Other vulnerabilities addressed
in the update include a memory corruption flaw, a heap overflow flaw
and a privilege escalation flaw. The SSL flaw also affects Mozilla's
Thunderbird, SeaMonkey and NSS products; fixes for those products are
likely to be available soon.
Users who have already upgraded to Firefox 3.5 are urged to upgrade to
Firefox 3.5.2 as soon as possible. Both the release notes and the
update can be found here: <http://www.mozilla.com/en-US/firefox/3.5.2/releasenotes/
>.
---------------------------------
2. Twitter Knocked Offline
---------------------------------
Twitter is recovering from a distributed denial-of-service (DDoS) that
occurred last Thursday. The micro-blogging service was knocked
offline for several hours. At the time Twitter's status page read "As
we recover [from the DDoS], users will experience some longer load
times and slowness. This includes timeouts to API clients. We're
working to get back to 100% as quickly as we can." Facebook suffered
problems from an apparent DDoS as well.
A denial-of-service occurs when a web server is overwhelmed with
requests. While most security experts dismiss DDoS attacks as just
background noise on the internet, they could still be part of more
insidious attacks, according to Tom Byrnes of ThreatStop, a network
security company.
According to Wired Magazine, the ongoing attacks on Facebook and
Twitter likely involve tens of thousands of compromised computers
under the control of a single person or organization. The attack would
involve asking the sites to serve up a page of search results, or some
other processor-intensive request.
CNET says this attack is both personal and political, involving the
continuing Russia/Georgia conflict. On Friday, a Georgian economics
professor, who is an activist blogger and has a number of sites, says
he was the intended target. He blamed the attack on the Russian
government, which he says is trying to stifle his criticism of
Russia's conduct in its war with Georgia.
Read the full story here: <http://www.wired.com/epicenter/2009/08/twitter-apparently-down/
>
-----------------------------------------------------
3. Event: SANS Institute in Providence, RI
-----------------------------------------------------
Paul Asadoorian of Pauldotcom will teach Developer 542: Web
Application Penetration Testing and Ethical Hacking. For complete
course information and to register, visit <http://www.sans.org/info/46903
>.
When: Monday, October 5 - Saturday, October 10 (6 Day Course)
Where: Brown University, Providence RI
How Much: $3345 (Register by August 26 and save $350 on the tuition
fee.)
Course description:
In this intermediate to advanced level class, you'll learn the art of
exploiting Web applications so you can find flaws in your enterprise's
Web apps before the bad guys do. Through detailed, hands-on exercises
and training from a seasoned professional, Paul Asadoorian, you will
be taught the four-step process for Web application penetration testing.
You will inject SQL into back-end databases, learning how attackers
exfiltrate sensitive data. You will utilize Cross-Site Scripting
attacks to dominate a target infrastructure in our unique hands-on
laboratory environment. And you will explore various other Web app
vulnerabilities in depth with tried-and-true techniques for finding
them using a structured testing regimen. You will learn the tools and
methods of the attacker, so that you can be a powerful defender.
=
=
=
========================================================================
Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB
>
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090810/c541e24b/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090810/c541e24b/attachment.bin
More information about the ist-security-fyi
mailing list