[IS&T Security-FYI] SFYI Newsletter, February 14, 2011

Mon Feb 14 12:43:12 EST 2011

In this issue:

1. Adobe Fixes 42 Flaws in Reader and Flash

2. Security Update for Chrome 9

3. Facebook Goes to HTTPS

4. The Gawker Hack and Lessons Learned

----------------------------------------------------------

1. Adobe Fixes 42 Flaws in Reader and Flash

----------------------------------------------------------

Adobe's quarterly security update includes fixes for 29 flaws in Reader and 13 in Flash.  The release marks the first update for Reader X, an upgraded version of the PDF Reader that includes a sandboxing feature in the Windows version to protect users' systems from some attacks.

In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users (Source: Wikipedia).

Most of the flaws in Reader are rated critical and two could allow cross-site scripting (XSS) attacks.  The updates bring Reader to versions 8.2.6, 9.4.2 and 10.0.1 for Windows and Mac OS X.  An update for Linux is expected to be available on February 28.  Flash is now at version 10.2.152.26 for Windows, Mac OS X, Linux and Solaris.

Users can download the recent versions from <http://www.adobe.com/downloads> or through the software update tools in Reader or Flash.

Read the Adobe security bulletin: <http://www.adobe.com/support/security/bulletins/apsb11-03.html>

Learn about Adobe's Security Sandboxing feature:

<http://blogs.adobe.com/accessibility/2010/11/reader-x-accessibility-and-security-sandboxing.html>

-----------------------------------------

2. Security Update for Chrome 9

-----------------------------------------

Google has issued a security update for version 9 of its Chrome browser just days after Chrome 9 was released in its stable version.  The fix addresses five vulnerabilities, three of which are rated high priority. Chrome 9.0.597.94 also includes an updated version of Adobe Flash.

Download the most recent version for Windows, Mac OS X and Linux at <http://www.google.com/chrome>. Users who already have Chrome installed can use the built-in update function.

Read the story in the news:

<http://www.h-online.com/security/news/item/Google-releases-Chrome-9-security-update-1186749.html>

-------------------------------------

3. Facebook Goes to HTTPS

--------------------------------------

Facebook is getting a little more serious about security after the CEO's fan page got hacked. Facebook wrote on their blog that they are rolling out the option for users to access Facebook via a secure SSL (https) connection. According to the blog article, users need to go to their account settings and choose "secure browsing" from the account security section of the page.

This change is being rolled out over the next few weeks so not everyone will see the new option right away. The blog post does warn that the browsing experience may be slower (due to the encryption overhead) and that not all 3rd party applications are compatible with secure SSL at this time.

Read the full story in the news:

<http://news.cnet.com/8301-13880_3-20030725-68.html>

-------------------------------------------------------

4. The Gawker Hack and Lessons Learned

-------------------------------------------------------

The December 2010 Gawker Media hack was successful due in part to poor password construction. The passwords were reportedly hash-encrypted. The main purpose of password hashing encryption is to obscure your password from being sent as clear text over the network. But hash-encrypting does not prevent a hacker from using brute-force cracking tools. If your password is only 8-9 characters in length, or contains a dictionary word, then it can be hacked in a matter of seconds using an offline password cracking tool.

Is your password strong enough to not get cracked? Find out how to create a strong password by applying the tips in this Hermes article: <http://kb.mit.edu/confluence/x/3wNt>

Read the Gawker Media hack story in the news:

<http://www.pcworld.com/article/213438/gawker_media_hack_everything_you_need_to_know.html>

========================================================================================

To read all current and archived articles online, visit the Security-FYI Blog at <http://securityfyi.wordpress.com/>

Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

The IT Security Team moved on 2/11/11: Come see us in our new location at W92-236.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20110214/52196f26/attachment.htm