[IS&T Security-FYI] SFYI Newsletter, October 17, 2011

Monique Yeaton myeaton at MIT.EDU
Mon Oct 17 15:07:40 EDT 2011 

In this issue:


1. Apple Security Updates

2. Microsoft Security Updates for October 2011

3. Security Awareness: An Attitude Adjustment



---------------------------------

1. Apple Security Updates

---------------------------------


Apple released a massive security update (2011-006) on October 13 to address more than 70 vulnerabilities in the following operating systems:


 *   Mac OS X 10.6.8
 *   Mac OS X Server 10.6.8
 *   Mac OS X 10.7, 10.7.1
 *   Mac OS X Server 10.7, 10.7.1


A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.


Two security issues were patched in the Mac OS X kernel, one in CoreStorage, two in CoreMedia, while others were in CoreProcesses, CoreFoundation, CFNetwork, and even the application firewall.


According to an article on ComputerWorld.com installation errors have occurred with this update in some instances:


"Apple OS X Security Update makes MacBook kernel panic at boot," warned security researcher Dragos Ruiu on Twitter. He later confirmed that other users have experienced similar problems, particularly on systems with Lion/Snow Leopard dual-boot configurations. "If you have two or more OS partitions on [MacBook Pro] it breaks," the security expert said.


Graham Cluley, a senior technology consultant at Mac OS antivirus provider Sophos, couldn't confirm the Mac OS X boot issues, but advised users to postpone updating if they believe they might be affected.


"My advice would be to contact Apple technical support - and see if they have a resolution for the problem. If you suspect you may be impacted by the issue it may be wise to hold off installing the security update until Apple has confirmed if it has fixed it," Cluley said.


Read the full article:  < http://www.computerworld.com/s/article/9220826/Mac_OS_X_security_update_causes_crashes_say_experts >


Read the content of the Apple update: < http://support.apple.com/kb/HT5002 >


OTHER APPLE UPDATES:

Apple also released updates for Safari (version 5.1.1), iOS (version 5) to fix nearly 100 security flaws and Mac OS X 10.7.2 to fix security issues and introduce iCloud.


Read about the iOS update:

< http://www.h-online.com/security/news/item/Apple-s-iOS-5-update-closes-almost-100-security-holes-1360528.html >


Read about the Safari 5.1.1 and Mac OS X 10.7.2 updates:

< http://www.h-online.com/security/news/item/Apple-releases-Mac-OS-X-10-7-2-and-Safari-5-1-1-1360457.html >



------------------------------------------------------------

2. Microsoft Security Updates for October 2011

------------------------------------------------------------


Also last week, on October 11, Microsoft released its monthly security patches, two of which are critical and 6 rated important. The patches fix 23 vulnerabilities in the following systems:


 *   Microsoft Windows
 *   .NET Framework
 *   Silverlight
 *   Internet Explorer
 *   Forefront Unified Access Gateway
 *   Host Integration Server


The patches have been approved for deployment via MIT WAUS.


Read the content of the Microsoft bulletin: < http://technet.microsoft.com/en-us/security/bulletin/ms11-oct >



-----------------------------------------------------------

3. Security Awareness: An Attitude Adjustment

-----------------------------------------------------------


Michael Santarcangelo, a renowned advocate of awareness initiatives, eloquently defines security awareness as “an individual’s realization of the consequences of their actions, viewed in the context of intention and impact.”


There are generally two views on security awareness in IT organizations: it is either a waste of time or it is an invaluable tool as way to mitigate risk.


In a recent article on TechRepublic.com, Dominic Vogel points out that if security awareness is going to work, security pros need an attitude adjustment in regards to how to approach security awareness in their organizations. He suggests the following adjustments:


 1.  Dropping the stance that it is them (the users) against us (the IT professionals). We are all in this together. Remembering that we are all "one" organization can dismantle the dividing factors and make us stronger as a result.
 2.  Losing the disheartening mentality that security will never be where it needs to be because of a few people who always fall prey to scams and other cyber tricks. Instead of focussing on what can't be accomplished, look at what we can do to lower the collective risks to IT.
 3.  Making the information relevant, engaging and relatable. Rather than talking about the "do's and don'ts" when it comes to using a computer, help people comprehend the connection between the actions they take online and the potential negative impact and consequences that can result. Make it relatable through engaging stories and discussions that help develop a more thoughtful method of using computers.


If you are engaged in security awareness, remember to treat your fellow workers with the respect they deserve. They are more than capable of being safe and secure online.


Read the full article: < http://www.techrepublic.com/blog/security/transform-your-security-awareness-programs-focus-on-people-and-risk-management/6690 >



===================================================================================

Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.

===================================================================================


Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20111017/022ba093/attachment.htm

More information about the ist-security-fyi mailing list