[IS&T Security-FYI] Security FYI Newsletter, May 13, 2015

Wed May 13 14:01:20 EDT 2015

In this issue:

1. Cybersecurity Talent Woes
2. Microsoft Security Updates for May 2015
3. Adobe Security Updates for Reader and Acrobat
4. Vulnerabilities in Lenovo System Update

----------------------------------------
1. Cybersecurity Talent Woes
----------------------------------------

It is no secret that there is a shortage of talented cybersecurity professionals in the US. As posted in the news, this issue is worse than a skills shortage, it’s a critical gap. As an article at thehill.com<http://thehill.com/blogs/congress-blog/technology/239113-cybersecurity-talent-worse-than-a-skills-shortage-its-a> states: “We don’t have the workforce needed to address the challenges before us.”

The article goes on to further sum up the concern: “There are simply an inefficient number of qualified, skilled professionals available to do what’s needed to protect organizations and consumers.”

The problem becomes clear when organizations attempt to hire cybersecurity professionals. Many applicants don’t have the necessary skills for the open positions, which means it can take months to hire someone, while a short-staffed security team is trying to safeguard data and critical infrastructure.

SANS Institute is doing its part to help professionals launch cybersecurity careers and also assist companies and organizations to obtain the talent. This resource is available for employers: https://www.sans.org/cybertalent/

This week, on May 14, SANS is also hosting SANS CyberTalent Fair<https://app.brazenconnect.com/events/SANS-cybertalent-fair#!eventLanding;eventCode=SANS-cybertalent-fair>, a two-day, online meeting place for top cybersecurity employers and jobseekers in the US. According to the event website, “More than 209,000 cybersecurity jobs in the US are unfilled.”

MIT is hiring cybersecurity professions to work in Information Systems & Technology. See the MIT Careers website<https://careers.mit.edu/>. Contract positions for IT Risk & Security Engineers are also available. For a job description, please contact Harry Hoffman<mailto:hhoffman at mit.edu>.

----------------------------------------------------------
2. Microsoft Security Updates for May 2015
----------------------------------------------------------

Microsoft released 13 updates on May 12th, Security Bulletins MS15-043 through MS15-055<https://technet.microsoft.com/en-us/library/security/ms15-may.aspx>, to address vulnerabilities in Microsoft Windows. Three are rated critical. Some of these vulnerabilities could allow elevation of privilege, denial of service, remote code execution, information disclosure, or security feature by-pass.

All Windows operating systems are affected, as well as Microsoft Silverlight, Microsoft Office, Internet Explorer, and Microsoft SharePoint Server. It has been noted that the number of patches in this release brings the total number for the year to 53, the highest total through May of the past five years.

Patches are available via Windows Update<http://windowsupdate.microsoft.com>.

--------------------------------------------------------------------
3. Adobe Security Updates for Reader and Acrobat
--------------------------------------------------------------------

This week Adobe released security updates<https://helpx.adobe.com/security/products/reader/apsb15-10.html> for Adobe Reader and Acrobat for Windows and Macintosh. The updates patch 34 vulnerabilities in Acrobat X, Acrobat XI, Reader X and Reader XI that could potentially allow an attacker to take over the affected system.

Adobe recommends users update their product installations to the latest versions. Read the details in the Adobe Security Bulletin<https://helpx.adobe.com/security/products/reader/apsb15-10.html>.

---------------------------------------------------------
4. Vulnerabilities in Lenovo System Update
---------------------------------------------------------

(Thanks to Rich Pieri for sharing this news.)

Months after Lenovo was found to have installed dangerous software onto its computers, major vulnerabilities were found in Lenovo’s update system, that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software and run commands from afar.

What are the vulnerabilities?

1. Lenovo's System Update software runs a service as SYSTEM and allows unprivileged processes to send it arbitrary commands to execute.

2. Lenovo's System Update software does not correctly validate CAs of signed updates allowing for the installation of "updates" signed with fake certificates.

3. Lenovo's System Update software downloads updates to a world writable directory creating a race condition between signature verification and running the saved executable.

The company issued a patch last month that fixes the bugs but owners will need to download the update<https://support.lenovo.com/us/en/product_security/lsu_privilege> themselves.

Learn more in the news<https://www.theverge.com/2015/5/6/8557881/security-researchers-found-another-massive-security-risk-in-lenovo>.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
Social Communications Specialist
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20150513/f002eabe/attachment.htm