[IS&T Security-FYI] SFYI Newsletter, October 20, 2014

[Monique Buchanan]

In this issue:

1. SSL 3.0 Vulnerability Discovered Last Week
2. NCSAM Events at MIT This Week
3. Microsoft Security Updates for October 2014
4. Patch Issued for Drupal Vulnerable to SQL Injection


--------------------------------------------------------------
1. SSL 3.0 Vulnerability Discovered Last Week
--------------------------------------------------------------

A serious vulnerability against Secure Sockets Layer (SSL) version 3.0<http://kb.mit.edu/confluence/x/GIEwCQ> has been discovered. This comes on the heels of several other (unrelated) vulnerabilities this year, including Heartbleed in April and Shellshock in September.

SSL is one of the protocols used to secure Internet traffic from eavesdroppers. SSL 3.0 is nearly 18 years old and obsolete but most browsers and web servers still allow its use for legacy browsers and/or server compatibility.

This attack, nicknamed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows a man-in-the-middle — such as a malicious Wi-Fi hotspot — to extract data from secure web connections (also known as HTTPS). If successful, an attacker could gain access to online accounts by hijacking session cookies and bypassing the login mechanisms protecting certain accounts.

KB Article: Learn how you can deflect this attack<http://kb.mit.edu/confluence/x/5IEwCQ>.

Read more about it in the news<http://www.techrepublic.com/article/poodle-vulnerability-hastens-the-death-of-ssl-3-0/>.


------------------------------------------------
2. NCSAM Events at MIT This Week
------------------------------------------------

This week Information Systems & Technology is sponsoring two events on campus in support of National Cyber Security Awareness Month.

Thursday, Oct. 23, 12:00 - 1:30pm, in 37-252
Anonymity on the Go: The Possibilities and Problems of Tor on Mobile Devices. The speaker of this talk is Nathan Freitas, founder of the Guardian Project.
RSVP required.

Friday, Oct. 24, 10:00am - 2:00pm, in Lobby of Building 32
Shred IT! Paper as well as some electronic media will be collected and safely shredded. If you need to get rid of old hard drives, tapes, CDs or thumb drives, now is your chance.

Learn more about both of these events<http://kb.mit.edu/confluence/x/WR4YCQ>.


--------------------------------------------------------------
3. Microsoft Security Updates for October 2014
--------------------------------------------------------------

Last week Tuesday, Microsoft released 8 security updates<https://technet.microsoft.com/library/security/ms14-oct> (3 critical and 5 important) to address 24 vulnerabilities in Windows, IE and Office, including a flaw in Windows and Windows Server 2008 and 2012 that is actively exploited as part of the Sandworm Team attacks<http://www.geekwire.com/2014/patches-must-flow-microsoft-fixes-vulnerability-used-sandworm-team-attacks/>. The updates include fixes for a pair of critical flaws in the Windows kernel that could be exploited to execute code.

These patches have been approved for deployment via MIT WAUS<http://ist.mit.edu/waus> (Windows Automatic Update Services).

Read the story online<http://www.zdnet.com/microsoft-updates-windows-ie-office-in-busy-patch-tuesday-7000034657/>.


------------------------------------------------------------------------
4. Patch Issued for Drupal Vulnerable to SQL Injection
------------------------------------------------------------------------

I am passing along this security alert coming from Security SIG<https://mailman.mit.edu:444/mailman/listinfo/security_sig>:

A nasty SQL injection vulnerability has been disclosed in Drupal that allows an anonymous user to execute code and manipulate and/or delete stored data. Exploits<http://www.volexity.com/blog/?p=83> are currently being used and posted.

This affects all versions of Drupal 7 prior to 7.32. It is strongly recommended that all those running Drupal 7 upgrade to core 7.32.

More information can be found here https://www.drupal.org/SA-CORE-2014-005 and here https://www.drupal.org/node/2357241.

The IS&T-managed Drupal Cloud service was patched last week.

If you know other system admins and/or departments that are responsible for running Drupal, we kindly ask that you pass this message along to them.

Read the story online<http://www.computerworld.com/article/2834650/drupal-releases-patch-for-serious-sql-injection-flaw.html>.


=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================


Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715


[cid:B0BFCD69-2454-4597-9B79-36CDA1F0EA6E at mit.edu]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20141020/b6b31269/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ncsam_sig.png
Type: image/png
Size: 10667 bytes
Desc: ncsam_sig.png
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20141020/b6b31269/attachment-0001.png