[IS&T Security-FYI] Newsletter, January 18, 2008

Monique Yeaton myeaton at MIT.EDU
Fri Jan 18 14:15:59 EST 2008 

In this issue:

1. Apple QuickTime Update 7.4
2. Firefox Hit with Spoofing Bug
3. How Safe is our Wireless Network?

----------------------------------------
1. Apple QuickTime Update 7.4
----------------------------------------

Apple released an update for QuickTime to fix multiple  
vulnerabilities. Exploitation of these vulnerabilities could allow a  
remote attacker to execute arbitrary code or cause a denial-of- 
service condition.

Systems Affected

      * Apple Mac OS X running versions of QuickTime prior to 7.4*
      * Microsoft Windows running versions of QuickTime prior to 7.4*

Apple QuickTime 7.4 resolves multiple vulnerabilities in the way  
different types of image and media files are handled. An attacker  
could exploit these vulnerabilities by convincing a user to access a  
specially crafted image or media file that could be hosted on a web  
page.

*Note that Apple iTunes installs QuickTime, so any system with iTunes  
is vulnerable.

For further information, please see 'About the security content of  
QuickTime 7.4': <http://docs.info.apple.com/article.html?artnum=307301>

----------------------------------------
2. Firefox Hit with Spoofing Bug
----------------------------------------

According to an article on Networkworld.com, Firefox 2.0.0.11 has a  
vulnerability that could be used by identity thieves to dupe users  
into disclosing passwords. In one scenario described by the security  
researcher who found this vulnerability, "a link to a trusted site --  
a well-known bank, say, or a Web e-mail service such as Gmail or  
Hotmail -- when clicked would display its usual log-on dialog. In the  
background, however, the attacker would have crafted a script that  
exploited the Firefox vulnerability to redirect the username and  
password entered by the user to the hacker's server instead of the  
real deal."

His advice: "Until Mozilla fixes this vulnerability, I recommend not  
to provide username and password to Web sites which show this dialog."

Read the full story here: <http://www.networkworld.com/news/ 
2008/010308-firefox-hit-with-spoofing.html?fsrc=rss-security>

------------------------------------------------
3. How Safe is our Wireless Network?
------------------------------------------------

I'm sure many of you have read about the risks of using wireless  
networks (Wi-Fi). The phenomenon of so-called "wardriving" is  
popular: driving or moving around a wireless network area until an  
Internet connection is found. Some people do this from within their  
homes, hoping neighbors haven't password-protected their networks.  
But the bad guys do this to "snif" out information that is being  
transfered over those networks.

We have Wi-Fi at MIT as well. However, the way our network is set up  
doesn't require a password for access (although you do have to be  
registered with an account to use the network). Therefore, most of  
the applications that you use to transfer information over our  
network have been designed with security in mind. Even with potential  
eavesdroppers out there we are relatively safe, as MIT provides many  
web applications that require X.509 certificate authentication  
(requires an SSL protected session). To make sure your connection is  
secure, look for the HTTPS in the URL or a padlock. In addition,  
Kerberos provides security with email and other network services  
which you as an MIT community member have access to.

Remember, you are only as secure as your activities allow you to be.  
Pause and think about the risks you are accepting, whether using a  
public or private network. Some tips to help you:

- Keep your system patched
- Turn on the built-in firewall in your operating system
- Use VPN (http://itinfo.mit.edu/product.php?name=vpn)
- Disable peer-to-peer functionality when not in use
- Disable network cards or connections when working offline
- Don't let anyone shoulder surf (peek over your shoulder)


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list