[IS&T Security-FYI] SFYI Newsletter, December 12, 2008

Fri Dec 12 13:56:24 EST 2008

In this issue:

1. December 2008 Security Updates
2. Zero-Day IE7 Threat
3. Cyber Security on the Agenda for the Next President

----------------------------------------------
1. December 2008 Security Updates
----------------------------------------------

This month has seen a rather large number of new vulnerabilities, most  
of them in Microsoft Windows and Office products.

---- Microsoft ----

This week Microsoft released six critical and two important level  
patches for the Windows operating system and Office products.

Affected software:

   * Microsoft Windows and related components
   * Microsoft Internet Explorer
   * Microsoft Word, Excel and related components
   * Microsoft Office SharePoint Server
   * Microsoft Visual Basic 6

All six critical patches from this month's release addresses user  
based exploits in Microsoft's Windows or Office products. A remote,  
unauthenticated attacker could gain elevated privileges, execute  
arbitrary code or cause a vulnerable application to crash. One  
important level patch addresses an elevation of privilege  
vulnerability in Microsoft Office SharePoint Server, the other patch  
addresses an NTLM credential reflection vulnerability in the Windows  
Media components. These patches are now approved for deployment via  
MIT WAUS.

For more information on this update:
<http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx>

  ---- Apple ----

This month has not yet seen any security updates from Apple.

  ---- Sun ----

Sun has released alerts to address multiple vulnerabilities affecting  
the Sun Java Runtime Environment.

Affected software:

Sun Java Runtime Environment versions

   * JDK and JRE 6 Update 10 and earlier
   * JDK and JRE 5.0 Update 16 and earlier
   * SDK and JRE 1.4.2_18 and earlier
   * SDK and JRE 1.3.1_23 and earlier

The impacts of these vulnerabilities vary. The most severe of these  
vulnerabilities could allow a remote attacker to execute arbitrary  
code. Apply the update released by Sun. If you have the vulnerable  
versions of Java on your system, it is also recommended to disable  
Java in your web browser. While this does not fix the vulnerabilities,  
it does block a common attack vector.

For more information on this update:
<http://www.us-cert.gov/cas/techalerts/TA08-340A.html>

------------------------------
2. Zero-Day IE7 Threat
------------------------------

In response to the zero-day vulnerability found in Internet Explorer  
this week, Microsoft released an advisory:

<http://www.microsoft.com/technet/security/advisory/961051.mspx>

Apparently, Microsoft has not yet publicly stated whether it will  
issue an out-of-cycle patch for the issue. However, in its advisory,  
Microsoft does indicate that a fix may be forthcoming in some capacity  
if the company decides it's necessary.

----------------------------------------------------------------------
3. Cyber Security on the Agenda for the Next President
----------------------------------------------------------------------

In a report titled "Securing Cyberspace for the 44th Presidency," the  
CSIS Commission on Cybersecurity for the 44th Presidency urges  
President-elect Barack Obama to create the National Office for  
Cyberspace, a new White House office headed by an Assistant to the  
President for Cyberspace, who would oversee 10-20 employees.  The  
report also pushes for new legislation that would allow investigations  
into cyber crime to proceed more quickly.

Among the proposals is the creation of data warrants in place of  
search warrants.  Commission member Jerry Dixon said, "We have to have  
a solid cyber doctrine" defining when incidents would require military  
action and when they would be better addressed through law enforcement  
or intelligence community channels.  The report makes numerous other  
recommendations, including moving the government away from passwords  
toward strong authentication for network access.

Read the full story here:
<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9122903 
 >

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you  
for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20081212/4a76c019/attachment.htm