[IS&T Security-FYI] SFYI Newsletter, October 1, 2012
Monique Yeaton
myeaton at MIT.EDU
Mon Oct 1 15:06:14 EDT 2012
In this issue:
1. Internet Explorer Patched by Microsoft
2. National Cybersecurity Awareness Month Events
3. Unpatched Vulnerabilities in Java Plug-In and Adobe Certificate
-------------------------------------------------------
1. Internet Explorer Patched by Microsoft
-------------------------------------------------------
If you use Internet Explorer and haven't yet applied the patch that was released by Microsoft just over a week ago, you will want to do so now. Critical patch MS12-063<http://technet.microsoft.com/en-us/security/Bulletin/MS12-063> applies to Internet Explorer versions 6 through 9. It does not affect Internet Explorer 10.
The vulnerability was discovered mid-September, and could allow the installation of a backdoor Trojan when visiting compromised websites.
Microsoft released the patch on September 21. It is recommended to run Windows Update as soon as possibly to apply patch MS12-063.
--------------------------------------------------------------------
2. National Cybersecurity Awareness Month Events
--------------------------------------------------------------------
This month (National Cybersecurity Awareness Month, or NCSAM) you can increase cybersecurity awareness by attending events or participating in some of the activities being sponsored by Educause:
* October 4 National Cybersecurity Kickoff Webinar. Registration is free<http://www.educause.edu/events/educause-live-security-awareness-and-communication-c-suite> and you can do so online to attend on your own from your work station. Or just join us in E17 in the Learning Center, on October 4 at 1 p.m. with the option to stay afterwards for a brief discussion on the topic. The webinar is presented by Dave Cullinane, CISO at eBay (retired) and co-founder of the Cloud Security Alliance, and will discuss challenges such as cloud security, privacy, compliance, BYOD, enterprise risk management and other issues currently faced by campuses.
* Student Video & Poster Contest - Educause in partnership with Internet2 Higher Education Information Security Council (HEISC) is conducting a contest in search of short information security awareness videos and posters developed by college students for college students. The deadline for submission is March 8, 2012. Winners receive cash prizes and their video or poster will be featured on the HEISC website. Details of this contest can be found on the Educause website<http://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-initiative/community-engagement/information-security-awareness->.
In the meantime, know that cybercrime is not a laughing matter, but here's a pretty humorous video about cyber criminals<http://www.youtube.com/watch?feature=player_embedded&v=9nEwX7BUYdY>.
Have any ideas for how to increase awareness in your area? Let me know by writing to me directly (myeaton at mit.edu). Otherwise, check out the NCSAM resource kit<https://wiki.internet2.edu/confluence/display/itsg2/NCSAM+Resource+Kit> for ideas on how to plan for the month.
----------------------------------------------------------------------------------------
3. Unpatched Vulnerabilities in Java Plug-In and Adobe Certificate
----------------------------------------------------------------------------------------
An unpatched vulnerability has been spotted<http://www.informationweek.com/security/application-security/java-vulnerability-affects-1-billion-plu/240007985> in all versions of Java. A security researcher from Security Explorations announced the bug discovery last Tuesday. He claims the impact of the issue is critical and was able to successfully exploit it. An attacker could use the exploit to run arbitrary code and remotely compromise a vulnerable system. If you have a Java plug-in for your browser, you are vulnerable. See these steps on how to unplug Java from a browser<http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/>. Note that you may not be able to view websites properly with JavaScript disabled.
In other news, Adobe says it will revoke a code signing certificate<http://news.cnet.com/8301-1009_3-57521794-83/adobe-to-revoke-code-signing-certificate/> after discovering malware that was digitally signed by the certificate. Adobe is currently investigating what appears to be inappropriate use of an Adobe code signing certificate for Windows. A Microsoft spokeswoman stated: "Microsoft will take the appropriate action to help protect its customers," and said people should contact Adobe for more information. According to Adobe, the vast majority of Adobe software for Windows will not be affected. The revocation of the certificate affects the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh. More information on the impact, and what to do, can be found on the Adobe support page<http://helpx.adobe.com/x-productkb/global/certificate-updates.html>.
===================================================================================
Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
===================================================================================
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20121001/83b18209/attachment.htm
More information about the ist-security-fyi
mailing list