[IS&T Security-FYI] SFYI Newsletter, June 10, 2014

Tue Jun 10 11:41:37 EDT 2014

In this issue:

1. Microsoft Security Updates for June 2014
2. Another Critical Flaw in OpenSSL Fixed
3. Securely Disposing of Mobile Devices

-----------------------------------------------------------
1. Microsoft Security Updates for June 2014
-----------------------------------------------------------

This week on Tuesday, June 10, Microsoft is releasing seven new security bulletins<https://technet.microsoft.com/library/security/ms14-jun>. Two of the bulletins are rated critical.

Microsoft systems that will be affected:

  *   Microsoft Windows (all current operating systems and servers)
  *   Internet Explorer (all supported versions)
  *   Microsoft Office (2007, 2010)
  *   Microsoft Lync Server

The critical patch for Internet Explorer addresses a zero-day flaw reported in May that targets IE 8<http://threatpost.com/microsoft-working-on-patch-for-ie-8-zero-day/106247>, but will be released as a cumulative patch, addressing flaws in all supported versions of IE.

The second critical patch is for Microsoft Office and Microsoft Lync, the company’s messaging and video conferencing application. The vulnerability is rated critical for Lync 2013 and 2010, as well as Live Meeting 2007 Console; it is rated important for Microsoft Office 2010 and Office 2007.

MIT WAUS<http://ist.mit.edu/waus> subscribers will receive the updates after they have been tested for compatibility within the MIT computing environment.

This month’s bulletins do not include updates for Windows XP or Office 2003, as both are now retired and unsupported.

--------------------------------------------------------
2. Another Critical Flaw in OpenSSL Fixed
--------------------------------------------------------

The OpenSSL Project has released an update<https://isc.sans.edu/forums/diary/Critical+OpenSSL+Patch+Available+Patch+Now+/18211> to address new vulnerabilities. The most serious of the bunch could be exploited in a man-in-the-middle (MitM) attack or to run arbitrary code. The disclosure of the Heartbleed vulnerability in the OpenSSL cryptographic library a few weeks ago drew attention to the lack of support for the widely used open source software.

Experts do not believe this new flaw as threatening as the Heartbleed bug. The vulnerability, CVE-2014-0224, is considered dangerous because it enables an attacker to decrypt and modify traffic between SSL/TLS clients and servers in a MitM attack. To exploit the bug, both the server and the client must be running vulnerable versions of OpenSSL.

Read the full story online<http://www.scmagazine.com/seven-vulnerabilities-addressed-in-openssl-update-one-enables-mitm-attack/article/351323/>.

------------------------------------------------------
3. Securely Disposing of Mobile Devices
------------------------------------------------------

The June issue of OUCH!, led by Guest Editor Chris Crowley, discusses how to securely dispose of your mobile device. Most people do not realize just how much sensitive and personal information they have on their mobile device. If you are not careful about how you dispose of your older mobile devices, almost anyone can access that information.

Download the June issue of OUCH! (pdf)<http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201406_en.pdf> and please feel free to share with colleagues.

Additional information about secure disposal and data sanitizing old equipment<http://kb.mit.edu/confluence/display/istcontrib/Removing+Sensitive+Data> can be found in the Knowledge Base.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140610/9499e742/attachment.htm