[IS&T Security-FYI] Newsletter, January 11, 2008

Fri Jan 11 12:07:07 EST 2008

In this issue:

1. Microsoft's January 2008 Security Updates
2. Various Vulnerabilities
3. NERCOMP Security and Policy Conference
4. Poll results: Keep Newsletter As Is

---------------------------------------------------------
1. Microsoft's January 2008 Security Updates
---------------------------------------------------------

Products affected:

  - All supported versions of Windows

The Security Bulletin from Microsoft released this week was small.  
Microsoft released one critical and one important level security  
patch for the Windows operating system. These patches are now  
approved for deployment via MIT WAUS.

The critical patches in this release address network based  
vulnerabilities for users running multicast applications and the  
Router Discovery Protocol. Another patch addresses an elevation of  
privilege vulnerability in how LSASS handles LCP requests. The most  
severe vulnerabilities could allow a remote, unauthenticated attacker  
to execute arbitrary code.

For more info: <http://www.microsoft.com/technet/security/bulletin/ 
ms08-jan.mspx>

--------------------------------
2. Various Vulnerabilities
--------------------------------

In the past few weeks two major products were found to have  
vulnerabilities. They were:

  - Adobe Flash Player

Adobe Flash Player is the most popular platform for rich internet  
content. The Adobe Flash Player web browser plugin is bundled with  
Microsoft Windows, Apple Mac OS X, and various Unix and Linux-based  
operating systems. The Flash plugin contains multiple vulnerabilities  
in its handling of Flash content and network requests. A specially  
crafted web page with embedded Flash content could exploit one of  
these vulnerabilities to allow an attacker to execute arbitrary code  
with the privileges of the current user, perform cross site scripting  
attacks, or execute other attacks. Note that Flash content is  
generally loaded automatically upon receipt, therefore no user  
interaction other than viewing a malicious web page would be  
necessary to exploit these vulnerabilities.

Status: Adobe confirmed, updates available.
<http://www.adobe.com/support/security/bulletins/apsb07-20.html>

  - Real Networks RealPlayer

Real Networks RealPlayer, a popular streaming media player, and Helix  
Server, a popular streaming media server, contain an
undisclosed remote code execution vulnerability. A specially crafted  
RealPlayer datastream or Real Time Streaming Protocol (RTSP) request  
could trigger one of these vulnerabilities and allow an attacker to  
execute arbitrary code with the privileges of the vulnerable process.  
RealPlayer content is generally displayed by default, without first  
prompting the user, and Helix Server generally accepts arbitrary  
requests. It is believed that RealPlayer on all supported platforms  
is vulnerable.

Status: Real Networks has not confirmed, no updates available. For  
this reason, we recommend that you avoid using these products until  
an update has been released.

----------------------------------------------------------
3. NERCOMP Security and Policy Conference
----------------------------------------------------------

Registration is now open for NERCOMP's upcoming workshop: "Security  
and Policy"

DATE:
February 5, 2008

TIME:
9:15am - 3:00pm (Coffee and Registration start at 8:00)

PRICE:
NERCOMP Members: $72, Non-Members: $172

LOCATION:
The College of the Holy Cross, Worcester, MA.

DESCRIPTION:
Security is essential to planning and managing effective information  
and network systems. Effective security efforts are composed of a  
complex set of interrelated components including policies,  
procedures, and technical controls. Information Security Policy  
outlines the legal, privacy, and security-related responsibilities  
the govern use of IT systems and data by members of the campus  
community. The implementation of policy covers many facets and  
requires a broad set of skills to effectively manage. The SIG will  
cover the role of policy as it impacts the deployment of information  
security processes, tools and technologies. Specific topics include  
how to effectively leverage resources to build a security program,  
the role of policy in a security program, and complying with PCI-DSS.

For those interested in attending, team members of IT Security  
Support also plan to attend, so we'll see you there.
For a full schedule and registration information, please go to:  
<http://www.nercomp.org/events/event_single.aspx?id=1306>

-----------------------------------------------
4. Poll results: Keep Newsletter As Is
-----------------------------------------------

Several weeks ago I asked our readers to let me know if they would  
like to see this newsletter change format to include html and images.  
While some of you liked the idea, the majority of the responses I  
received showed that you like the format as is, and asked to not  
change a thing. I'm sure that says something positive so thank you  
all for your feedback and for helping me to make this decision.

Thanks,

Monique

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security