[IS&T Security-FYI] Newsletter, October 26, 2007

Monique Yeaton myeaton at MIT.EDU
Fri Oct 26 11:57:04 EDT 2007 

In this issue:

1. Security Updates from Adobe, Mozilla and RealNetworks
2. New Default Setting for WIN.MIT.EDU Computer Firewalls Boosts  
Security
3. RIAA Wins Copyright Case Against Minnesota Woman
4. Tip of the Week: P2P Security Risks

------------------------------------------------------------------------ 
---
1. Security Updates from Adobe, Mozilla and RealNetworks
------------------------------------------------------------------------ 
---

Security patches released this month include those for:

  * Adobe Reader and Adobe Acrobat

Adobe has released updates for Adobe Reader and Adobe Acrobat to fix  
security flaws that could allow attackers to gain control of a user's  
computer.  To exploit the flaw, attackers would need to manipulate  
users into opening maliciously crafted Adobe Reader or Adobe Acrobat  
PDF files, attached to email or posted on the Internet. The flaw  
affects only Windows XP systems with Internet Explorer 7 (IE7)  
installed. You can download updates from the Adobe site here: <http:// 
www.adobe.com/support/downloads/>.

  * Firefox

Mozilla has released version 2.0.0.8 of Firefox to address 10 flaws.   
Three of the fixes address critical flaws that could be exploited to  
execute arbitrary code. Mozilla released versions for Windows, Linux  
and Mac OS X. Firefox 2.0.0.8 can be downloaded from the Mozilla  
site; current users can update Firefox by using the browser's  
automated service.

  * All versions of RealPlayer for Windows

RealNetworks, the maker of the RealPlayer and RealOne media player  
software, has issued a security update to fix a flaw that hackers are  
actively exploiting to break into vulnerable computers. The update  
comes just 3 days after Symantec Corp. issued an alert saying it was  
seeing cyber crooks targeting the software hole to compromise Windows  
computers. The flaw does not affect Macintosh and Linux versions of  
RealPlayer. The stand-alone patch can be retrieved here:
<http://service.real.com/realplayer/security/191007_player/en/>

------------------------------------------------------------------------ 
-------------------------
2. New Default Setting for WIN.MIT.EDU Computer Firewalls Boosts  
Security
------------------------------------------------------------------------ 
-------------------------

Earlier this week IS&T notified users of WIN.MIT.EDU workstations  
that the Microsoft Windows Firewall defaults, which automatically  
have the Firewall turned "on," thereby protecting workstations from  
unwanted communication from the network and Internet, will be restored.

When the new Windows Firewall feature was introduced in 2004, IS&T  
changed the behavior to default to "off" based on feedback that the  
Firewall would cause issues with certain applications. IS&T no longer  
feels that the default behavior is problematic for users and will  
restore the default setting in December 2007.

The Windows Firewall helps block computer viruses and worms from  
reaching your computer. It asks for your permission to block or  
unblock certain connection requests and creates a record (log) if you  
want one that records successful and unsuccessful attempts to connect  
to your computer, which can be useful as a troubleshooting tool.

This change will only affect users whose workstation is hosted by the  
WIN.MIT.EDU domain. If you want to set your own Firewall, or see if  
your Firewall is already turned on, see instructions at <http:// 
web.mit.edu/ist/topics/security/firewall.html>.

------------------------------------------------------------------------
3. RIAA Wins Copyright Case Against Minnesota Woman
------------------------------------------------------------------------

Following a more aggressive stance the Recording Industry Association  
of America (RIAA) has recently taken against copyright infringement  
-- the use and distribution of copyrighted files without the author's  
consent -- a case was won against a single mother of three living in  
Minnesota. She was sued for sharing copyrighted music online and  
fined $220,000, a ruling that the industry hopes will send a message  
to other illegal file sharers.

Record companies have filed some 26,000 lawsuits since 2003 over file  
sharing. Many defendants have settled out of court by paying a few  
thousand dollars.  The full story has been posted here: <http:// 
www.usatoday.com/money/media/2007-10-04-downloading-music-trial_N.htm>

Anyone who has movies, music or software on his or her computer could  
become a target if found sharing files without permission. A letter  
sent this Fall to students and MIT rules of use state that users of  
the network must abide by copyright laws. An article highlighting  
copyright at MIT is posted in the September/October 2007 issue of the  
'is&t' newsletter. If you have not received a copy through campus  
mail, you can download one from the Web at <http://web.mit.edu/ist/ 
isnews/>.

-------------------------------------------------
4. Tip of the Week: P2P Security Risks
-------------------------------------------------

As an addendum to the copyright infringement article above, it is  
important to note that using any peer-to-peer (P2P) software that  
allows you to share files over the Internet can not only expose you  
to a possible lawsuit but could also put you at risk for exposing  
sensitive data as well as giving others access to your computer files.

This is such a growing threat that lawmakers from the House Oversight  
and Government Reform Committee have asked the Federal Trade  
Commission to define the security risks that P2P networks pose and  
how they compare to those posed by other online activities. The  
hearing and investigation held by the committee in July "suggested  
that the threat from P2P networks was far greater than originally  
thought." The FTC's findings in May 2005 noted that they would "hold  
file-sharing program distributers to their promises to provide  
consumers with risk information."

The full story was posted here: <http://www.fcw.com/online/news/ 
150560-1.html?type=pf>

If you want to learn more about copyrights and using P2P software  
visit: <http://web.mit.edu/ist/topics/security/copyright/ 
index.html#addtl>



Thank you for staying safe on the Internet!

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list