[IS&T Security-FYI] SFYI Newsletter, November 18, 2014

Tue Nov 18 19:01:39 EST 2014

In this issue:

1. Recent Critical Vulnerability Alerts from Microsoft
2. Adobe Issues Updates for Flash Player and AIR
3. Ready for Cyber Monday?

---------------------------------------------------------------------
1. Recent Critical Vulnerability Alerts from Microsoft
---------------------------------------------------------------------

Last week on Patch Tuesday, four critical vulnerabilities were disclosed and addressed by Microsoft in Security Bulletins MS14-064<https://technet.microsoft.com/library/security/MS14-064>, MS14-065<https://technet.microsoft.com/en-us/library/security/ms14-065.aspx>, MS14-066<https://technet.microsoft.com/library/security/MS14-066> and MS14-067<https://technet.microsoft.com/en-us/library/security/ms14-067.aspx>.

Let’s follow up on two of the more severe of these:

MS14-064: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability

This bulletin refers to two vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS14-066: Microsoft Secure Channel (Schannel) Vulnerability

A critical vulnerability in all supported Microsoft Windows systems could allow a remote attacker to execute arbitrary code (download malware) via specially crafted network traffic. Schannel<http://msdn.microsoft.com/en-us/library/windows/desktop/aa380123%28v=vs.85%29.aspx> is a security package that provides SSL and TLS on Microsoft Windows platforms. In order to exploit the vulnerability, an attacker would need to control a malicious Web page with exploit code and have users visit it. According to Microsoft’s bulletin there are no known mitigations or workarounds, but the patch released last week addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets. Johannes Ullrich of the SANS Institute recommends to patch as soon as possible: “My guess is that you probably have about a week, maybe less, to patch your systems before an exploit is released.”

Solution:
Be sure to install the updates released last week by Microsoft on your Windows computer. Managed Windows machines and subscribers of MIT WAUS have received the patches already. You may be required to restart your computer after the installation.

Both vulnerabilities are explained in more detail in this news article<http://www.scmagazine.com/microsoft-experts-urge-users-to-patch-two-critical-bugs/article/382963/>.

-------------------------------------------------------------------
2. Adobe Issues Updates for Flash Player and AIR
-------------------------------------------------------------------

Adobe has released updates for its Flash player and AIR<http://helpx.adobe.com/security/products/flash-player/apsb14-24.html> to address 18 security flaws. Updates are available for Windows, Mac, and Linux. The Most current version of Flash is now 15.0.0.223; the most current version of AIR for Windows, Mac, and Android is now 15.0.0.356. Windows users who run browsers other than Internet Explorer (IE) may need to updates twice: once for IE and once for the other browser.

Read the full story in the news<http://www.scmagazine.com/flash-and-air-updates-available-after-adobe-addresses-18-vulnerabilities/article/382958/>.

---------------------------------------
3. Ready for Cyber Monday?
---------------------------------------

Cyber Monday is the Monday after Black Friday and refers to the marketing efforts by companies to persuade their customers to shop online. This year Cyber Monday falls on December 1. It usually becomes the biggest online shopping day of the year.

Ways you can protect yourself during Cyber Monday:

  1.  Shop using a credit card, rather than a debit card to protect yourself from fraud.
  2.  Use strong passwords and a password manager, either by storing the passwords somewhere safe in your home or putting them into an electronic password manager, such as LastPass or OnePass.
  3.  Shop on trustworthy sites.
  4.  Make sure your computer has a secure firewall, the most recent updates installed, and is running anti-virus software.
  5.  Don’t respond to emails or phone calls that seem “phishy,” often claiming an issue with your account or offering a deal that sounds too good to be true.
  6.  Make sure that when you make your online purchase, the web address begins with “https” and shows a lock symbol with the URL.

Additional tips can be found in this IS&T news article<http://ist.mit.edu/news/shop_safe_online>.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20141119/77782682/attachment.htm