[IS&T Security-FYI] Security FYI Newsletter, May 12, 2016

[Monique Buchanan]

In this issue:

1. Android Security Patch Released by Google
2. Microsoft Security Updates for May 2016
3. What’s the Problem with the Internet of Things?


1. Android Security Patch Released by Google

A vulnerability on Android phones was patched this month, as announced in an Android Security Bulletin<https://source.android.com/security/bulletin/2016-05-01.html>. Android users are encouraged to accept the updates to their devices. Nexus users can receive the patch through an over-the-air update. Partners were notified and source code released to the Android Open Source Project repository.

The flaw has been unpatched for the past five years<http://arstechnica.com/security/2016/05/5-year-old-android-vulnerability-exposes-texts-and-call-histories/>, allowing low-privileged apps to access sensitive data. The vulnerability poses the biggest risk to the user base running versions 4.3 and earlier. However, even on devices running 4.4 or higher, a malicious application can modify sensitive OS properties. Attackers often combine such exploits with a low-severity exploit to increase their reach into a targeted phone.


2. Microsoft Security Updates for May 2016

On May 10, Microsoft released sixteen security bulletins<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>, eight of which are rated critical. They address 51 security vulnerabilities in Microsoft Windows, Internet Explorer (IE), Office, SharePoint Server and Office Web Apps. A patch for Adobe Flash Player is also included, to resolve vulnerabilities in supported editions on Windows 8.1, Windows Server 2012, Windows Server 2012 RT 8.1, and Windows 10.

The critical vulnerabilities in IE<https://nakedsecurity.sophos.com/2016/01/07/stop-using-internet-explorer-after-next-tuesday-sort-of/> should be patched right away. Even if you are not using IE, it runs in the background as a component of Windows and can still be attacked by hackers.

As of this month, all Windows updates will be available only through the Microsoft Update Catalog<http://catalog.update.microsoft.com/>, and not through the Download Center. You can also accept the updates as they occur through Windows Update. You may need to restart your machine after installing patches. Happy patching!


3. What’s the Problem with the Internet of Things?

The Internet of Things (IoT)<https://en.wikipedia.org/wiki/Internet_of_Things> is the network of all kinds of technology being connected via the Internet. So not just our smart phones, tablets, laptops and computers, but also “things” such as refrigerators, lights, heating and cooling systems and security systems. These connected devices can make our lives easier, by providing ways to turn them on or off, or set other configurations when we’re not at home.

With this convenience comes risk. The biggest issue is that these IoT devices are made by manufacturers whose main interest is profit, not security. For example, some have default passwords that are posted on the Internet and cannot be easily changed. Unlike a phone or computer, the software in these devices can quickly become outdated without a way to update it.

OUCH! has a few tips on what you can do to protect your IoT devices. See the May Issue<https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201605_en.pdf> (.pdf) to learn more.


Monique Buchanan
Communications Specialist
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu
tel: 617.253.2715







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20160512/c5be2b13/attachment.html