[IS&T Security-FYI] SFYI Newsletter, May 10, 2010
Monique Yeaton
myeaton at MIT.EDU
Mon May 10 13:24:30 EDT 2010
In this issue:
1. Microsoft Security Updates
2. Vulnerability in Microsoft SharePoint
3. Facebook Fixes Latest Privacy Setting Bug
-------------------------------------
1. Microsoft Security Updates
-------------------------------------
On Tuesday, May 11, Microsoft intends to release two new security
bulletins for the month, both of which are marked as critical.
Systems affected:
Windows 2000, XP, Vista and 7
Windows Server 2003, 2008, 2008 R2
Office XP, Office 2003, 2007
Visual Basic for Applications
Read the full bulletin:
<http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx>
-------------------------------------------------
2. Vulnerability in Microsoft SharePoint
-------------------------------------------------
Microsoft is investigating new reports of a zero-day vulnerability in
Microsoft Windows SharePoint Services 3.0 and Microsoft Office
SharePoint Server 2007. This vulnerability could allow an attacker to
run arbitrary script that could result in elevation of privilege
within the SharePoint site, as opposed to elevation of privilege
within the workstation or server environment. Criminals could use the
flaw to steal companies' confidential information.
Microsoft has not released a fix for this vulnerability and suggests a
workaround in the advisory. Microsoft also recommends that
administrators run Internet Explorer 8 which includes a cross-site
scripting filter that can reduce the exploit risk.
Read the full security advisory:
<http://www.microsoft.com/technet/security/advisory/983438.mspx>
The story in the news:
<http://www.computerworld.com/s/article/9176174/Microsoft_issues_work_around_advice_for_SharePoint_zero_day
>
---------------------------------------------------------
3. Facebook Fixes Latest Privacy Setting Bug
---------------------------------------------------------
Here's an ironic twist in a security setting by Facebook that allows
you to see how your friends view your profile information (the
'preview my profile' feature): this ability allowed people for a
limited time to see their friends' chats and pending friend requests.
Facebook temporarily removed the chat feature while it quickly fixed
the flaw.
The story in the news:
<http://eu.techcrunch.com/2010/05/05/video-major-facebook-security-hole-lets-you-view-your-friends-live-chats/
>
<http://news.cnet.com/8301-13577_3-20004213-36.html>
Facebook has been criticized heavily lately that it is exposing the
private details of its 400 million or so users more and more. For
example, the company came under fire for pushing profile data public
by default and sharing even more data with third-party partners.
Some of my readers have asked about security advice for using social
media sites. The answer I give is based on common sense behavior,
rather than involving technical safeguards. It is safe for users of
Facebook and other social media sites to assume that whatever they
post online will not be 100% private and that if they don't want
certain information out there for anyone to see, they should not post
it.
Software and website flaws, exploits, and people who will find ways to
use them to steal published information, will always exist (or
'friends' who turn out to not be true friends.) Users should play it
safe, and keep truly private information off the Internet.
Responses in the news to Facebook's privacy policies:
<http://news.cnet.com/8301-13577_3-20003928-36.html>
<http://www.eff.org/deeplinks/2010/04/facebook-timeline>
=
=
=
========================================================================
Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB
>
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20100510/fc6b481f/attachment.htm
More information about the ist-security-fyi
mailing list