[IS&T Security-FYI] SFYI Newsletter, December 7, 2009

Monique Yeaton myeaton at MIT.EDU
Mon Dec 7 12:39:22 EST 2009 

In this issue:

1. December 2009 Security Patches
2. Theft, Loss and Data Exposure


----------------------------------------------
1. December 2009 Security Patches
----------------------------------------------

---- Microsoft ----

Systems affected:

Microsoft Windows (all supported versions)
Windows Server (2003, 2008)
Internet Explorer (all supported versions)
Microsoft Office (XP, 2003)

According to its Security Bulletin Advance Notification for December  
2009, Microsoft plans to release six security bulletins on Tuesday,  
December 8 to address 12 vulnerabilities.

Three of the bulletins are rated critical, three are rated important.  
The bulletins for Office impact Project, Word and Works 8.5. The patch  
for Internet Explorer addresses a flaw reported last month (security  
advisory 977981) that affects IE 6 and 7, but not IE 8.

For details:
<http://www.microsoft.com/technet/security/bulletin/ms09-dec.mspx>
<http://www.microsoft.com/technet/security/advisory/977981.mspx>


---- Apple ----

Systems affected:

Mac OS X 10.5.8
Mac OS X 10.6.2 or later

Apple released 2 updates on December 3rd to address vulnerabilities in  
Java for Mac. The company released one for OS X 10.5 and one for 10.6.  
It is recommended to install the update to prevent an untrusted Java  
applet from obtaining elevated privileges. Visiting a web page  
containing a maliciously crafted Java applet may lead to arbitrary  
code execution with the privileges of the current user.

The updates are available via Apple's Support downloads page or in  
Software Update.
<http://support.apple.com/downloads/>


-------------------------------------------
2. Theft, Loss and Data Exposure
-------------------------------------------

Last week's issue reviewed how data can be exposed through the  
Internet. This week let's look at another way sensitive data can be  
compromised. According to some reports, computer theft and loss is on  
the rise and growing.

Loss occurs inadvertently, when an item containing data is misplaced  
or left unprotected somewhere. Ponemon Institute released a survey in  
2008 stating 10,278 laptops are reported lost every week at 36 of the  
largest US airports and that 65 percent are not reclaimed. About 53  
percent of people who have lost laptops this way said the laptops  
contained confidential information. This survey just looked at  
airports. Can you imagine how much higher the overall incident rate  
must be for lost laptops throughout the country?

Surprisingly, in 2008, incidents of loss occur infrequently in higher  
education. Loss accounted for only 5% of information security breaches  
reported by institutes of higher education. The total number of  
records exposed as a result of loss that year was approximately  
52,000. About 21,000 of those records were lost when Harvard Law  
School misplaced a backup tape containing client data while a staff  
member was carrying six tapes to the Cambridge office from Jamaica  
Plain.

Theft is deliberate, occurring when someone intentionally and  
physically removes an item containing data from the owner. Airports,  
along with hotels and parked cars are places where laptops can easily  
be stolen. But we have also seen several incidents of stolen computers  
from college campuses, including at MIT.

The incident of theft is much higher than loss in higher education. In  
2008, theft accounted for 23% of information security breaches  
reported by colleges and universities. The number of records exposed  
as a result of theft was over 4 million. By far, the largest number of  
records exposed in higher education was due to theft. The University  
of Miami lost 2.1 million records in 2008 when a box full of backup  
tapes containing patient data was stolen off the vehicle belonging to  
an off-site storage company.

Don't let MIT become one of these statistics! Learn more about how you  
can protect important data: attend the seminar on Handling Sensitive  
Data during IAP 2010. <http://student.mit.edu/iap/nsis.html>

= 
= 
= 
========================================================================

Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB 
 >


Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20091207/904c8f09/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20091207/904c8f09/attachment.bin

More information about the ist-security-fyi mailing list