[IS&T Security-FYI] SFYI Newsletter, January 13, 2014
Monique Yeaton
myeaton at MIT.EDU
Mon Jan 13 15:31:54 EST 2014
In this issue:
1. January 2014 Security Updates from Microsoft
2. Oracle and Adobe’s First Critical Patches of 2014
3. Bugs fixed in Ubuntu
4. Target Reveals New Data on Breach
-----------------------------------------------------------------
1. January 2014 Security Updates from Microsoft
-----------------------------------------------------------------
On Tuesday, January 14, Microsoft is releasing four new security bulletins<http://technet.microsoft.com/en-us/security/bulletin/ms14-jan>. None of the bulletins are critical. Microsoft systems affected are:
* Office
* Server Software
* Windows
* Dynamics AX
It is recommended to accept the updates. MIT WAUS subscribers will receive the updates after they have been tested for compatibility in the MIT environment. Installing the bulletins manually may require a restart.
Despite the light load, the patches do address a zero-day vulnerability in Windows XP and Windows Server 2003, made public in early November. Attackers were actively exploiting the flaw in the ND proxy driver that manages Microsoft’s Telephony API on XP via infected PDF attachments. Exploits only work with an Adobe Reader vulnerability that has since been patched. Microsoft will end support for Windows XP in April, 2014.
---------------------------------------------------------------------
2. Oracle and Adobe’s First Critical Patches of 2014
---------------------------------------------------------------------
Oracle and Adobe will release critical patches along side Microsoft on Patch Tuesday. Expected updates:
* Adobe will patch<http://helpx.adobe.com/security/products/acrobat/apsb14-01.html> Reader and Acrobat for Macintosh and Windows
* Oracle’s quarterly patch<http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html> will fix 147 of the company’s products, including Java SE
-------------------------------
3. Bugs fixed in Ubuntu
-------------------------------
Last week a large number of security vulnerabilities were fixed in Ubuntu, including a remotely exploitable font flaw that an attacker could use to run arbitrary code on vulnerable machines. A number of Linux kernel flaws were also patched in some versions of the operating system.
Read the full story online<https://threatpost.com/linux-kernel-font-bugs-fixed-in-ubuntu/103500>.
----------------------------------------------------
4. Target Reveals New Data on Breach
----------------------------------------------------
According to the latest reports from the Target Corporation<http://pressroom.target.com/news/target-provides-update-on-data-breach-and-financial-performance>, new details from the forensic investigation show that the attackers not only stole credit and debit card information, but also names, mailing addresses, phone numbers and email addresses, impacting another 70 million individuals.
Perhaps it’s time for us to stop handing over our personal information<http://bits.blogs.nytimes.com/2014/01/10/stop-asking-me-for-my-email-address/?_r=0> to businesses, even with the assurances given that the information won’t be used and will be protected.
More about the data breach at Target is posted here<https://corporate.target.com/about/payment-card-issue.aspx>.
=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================
"Distrust and caution are the parents of security" - Benjamin Franklin
Monique Yeaton
IT Security Communications Consultant
MIT Information Systems & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140113/e9216e70/attachment.htm
More information about the ist-security-fyi
mailing list