[IS&T Security-FYI] SFYI Newsletter, July 14, 2014
Monique Buchanan
myeaton at MIT.EDU
Mon Jul 14 15:35:29 EDT 2014
In this issue:
1. Flash Player Updates & Microsoft Security Updates
2. Microsoft Revokes Unauthorized Certs
3. The Do’s and Don’ts of Email
------------------------------------------------------------------------
1. Flash Player Updates & Microsoft Security Updates
------------------------------------------------------------------------
ADOBE
Due to recent security vulnerabilities<http://helpx.adobe.com/security/products/flash-player/apsb14-17.html#table> in Flash Player, Adobe has released version 14.0.0.145<http://helpx.adobe.com/flash-player/release-note/fp_14_air_14_release_notes.html> (11.2.202.394 for Linux) this week for all platforms. All operating systems on the now out-of-date versions are vulnerable and recommended to update to the latest version. Additionally because of the severity of these vulnerabilities, Apple has blocked all out-of-date Flash Player plug-ins for OS X.
>From Apple: “Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 14.0.0.145 and 13.0.0.231.”
Install or check your version of Flash Player in your browser here.<http://helpx.adobe.com/flash-player.html>
For assistance, contact the Help Desk at 617.253.1101 or helpdesk at mit.edu<mailto:helpdesk at mit.edu>. You can also submit a request online<http://ist.mit.edu/help#form>.
MICROSOFT
Last week on Patch Tuesday, July 8th, Microsoft released six updates<https://technet.microsoft.com/en-us/library/security/ms14-jul.aspx> to address 29 security vulnerabilities.
Systems affected:
* Internet Explorer (all supported versions)
* Microsoft Windows (all supported versions)
There was also updated firmware for all Microsoft Surface tablets, labeled “System Firmware Update - 7/8/2014,” available via Windows Update, improving various hardware issues.
Read the story in the news<http://www.theregister.co.uk/2014/07/08/microsoft_swats_29_bugs_adobe_updates_flash_for_patch_tuesday/>.
-------------------------------------------------------
2. Microsoft Revokes Unauthorized Certs
-------------------------------------------------------
Microsoft has issued an emergency update to revoke 45 of the unauthorized certificates from National Informatics Centre (NIC) of India. The updates revoke trust in three intermediary certificates from NIC so that all domain certificates, including some legitimate ones, will be invalid.
"These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties," a Microsoft advisory<https://technet.microsoft.com/en-us/library/security/2982792> warned. "The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks."
The update will be automatically delivered to PCs running Windows 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 RS, Phone 8, and Phone 8.1.
Users running Windows 7, Vista, Server 2008, and Server 2008 RS may or may not have the automatic updater installed. See the Microsoft KB article 2677070<https://support.microsoft.com/kb/2677070> for details. Administrators can find details in the KB article 2813430<https://support.microsoft.com/kb/2813430>.
There is presently no way to revoke the certificates for Windows 2003.
Read the story in the news<http://arstechnica.com/security/2014/07/emergency-windows-update-revokes-dozens-of-bogus-google-yahoo-ssl-certificates/>.
------------------------------------------
3. The Do’s and Don’ts of Email
------------------------------------------
The July issue of OUCH!, led by Guest Editor Dr. Eric Cole, discusses how we can be our own worst enemy when using email, including accidentally emailing the wrong people, not understanding the difference between “cc” and “bcc” and the dreaded “reply all.”
Download the July issue of OUCH! (pdf)<http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201407_en.pdf> and feel free to share with colleagues.
Also, what should you do about all that spam?? Here’s a video<http://ist.mit.edu/news/videos/spam_quarantine> created by IS&T with some tips on how to keep unwanted emails at bay.
=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140714/330aac83/attachment.htm
More information about the ist-security-fyi
mailing list