[IS&T Security-FYI] Newsletter, December 7, 2007

Monique Yeaton myeaton at MIT.EDU
Fri Dec 7 09:28:34 EST 2007 

In this issue:

1. Mozilla Bugs Fixed
2. Apple QuickTime Flaw Remains Unfixed
3. Regular File Backups
4. Tip of the Week: Online Shoppers Beware

---------------------------
1. Mozilla Bugs Fixed
---------------------------

Software affected:
  * Mozilla Firefox versions prior to 2.0.0.10
  * Mozilla SeaMonkey versions priot to 1.1.7
  * Netscape Navigator versions prior to 9.0.4

Memory corruption vulnerabilities: Web browsers based on the Mozilla  
suite, including Firefox, contain multiple vulnerabilities in their  
handling of web content. A specially crafted web page or script could  
trigger one of these vulnerabilities. Successfully exploiting one of  
these vulnerabilities would allow an attacker to execute arbitrary  
code with the privileges of the current user. Note that other  
browsers or applications based on the Mozilla framework could be  
vulnerable.

A patch has since been issued for these vulnerabilities. Firefox  
2.0.0.11 was released last week to fix an unrelated bug. If you are  
using Firefox, I recommend taking the update to mitigate the risk to  
this and other bugs affecting earlier versions.

To download the latest Mozilla product, visit <http://www.mozilla.org/ 
download.html>

------------------------------------------------------
2. Apple QuickTime Flaw Remains Unfixed
------------------------------------------------------

Software affected:
  * Apple QuickTime 7.3 and earlier for Windows and Mac
  * iTunes versions 7.5 and earlier for Windows and Mac

Remote Buffer Overflow: Apple QuickTime contains a buffer overflow  
vulnerability in the way QuickTime processes Real Time Streaming  
Protocol (RTSP) streams. This vulnerability could allow a remote,  
unauthenticated attacker to execute arbitrary code or commands and  
cause a denial-of-service condition. Common web browsers, including  
Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari can be  
used to pass RTSP streams to QuickTime and exploit the vulnerability.

A QuickTime update for this vulnerability is not available. Since  
QuickTime is a component of Apple iTunes, iTunes installations are  
also affected by this vulnerability.

Ways to block a possible attack are referenced below. In the meantime  
I recommend you do not open QuickTime files from any untrusted  
sources, including unsolicited files or links received in email,  
instant messages, web forums, or internet relay chat (IRC) channels.

* Securing Your Web Browser - <http://www.us-cert.gov/reading_room/ 
securing_browser/>
* Mozilla Uninstalling Plugins - <http://plugindoc.mozdev.org/faqs/ 
uninstall.html>
* How to stop an ActiveX control from running in Internet Explorer -  
<http://support.microsoft.com/kb/240797>


------------------------------
3. Regular File Backups
------------------------------

Have you done your "1st of the month" backups yet? Whether you back  
up your files monthly, weekly, or daily, it is a good idea to have a  
reminder marked on your calendar or to have your backup software set  
up for regularly scheduled backups. Lost files, whether they are  
email messages or documents you worked on, can mean not only an  
enormous inconvenience for you, but may also mean loss of finances if  
for instance those finances relied on those work files.

At MIT, Tivoli Storage Manager (TSM) is available for both Windows  
and Macs and lets you backup and restore files from/to a secure  
server <http://web.mit.edu/ist/topics/backup/>.

IS&T will be making a new service system and pricing structure  
available in January 2008, adding a basic service (for free) and an  
enterprise service (for a monthly fee) to the existing standard  
service in place for over twelve years.

More information on these services will be posted in the next IS&T  
newsletter which arrives in your mailbox once every other month or  
can be viewed online at <http://web.mit.edu/ist/isnews/>. Or you can  
contact <tsm-systems at mit.edu> to learn more.


---------------------------------------------------------
4. Tip of the Week: Online Shoppers Beware
---------------------------------------------------------

Each holiday season there are criminals lurking out there ready to  
snare the unsuspecting shopper. Sales notifications sent via email by  
retailers, online discounts, and once-in-a-lifetime online deals  
could get you more than you've bargained for.

Hackers will try to trick you into downloading a virus, worm, or  
spyware to your computer. Or they will actually take your money or  
steal your identity. Beware the fake website, untrustworthy download,  
and suspect email link or attachment!

Read a related story here: <http://www.usatoday.com/tech/news/ 
computersecurity/2007-11-25-cyber-monday_N.htm>

What can you as an online shopper do? This article offers some  
suggestions for minimizing potential risks: <http:// 
netsecurity.about.com/od/newsandeditoria2/a/blackfriday.htm>


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list