[IS&T Security-FYI] SFYI Newsletter, January 16, 2009

Fri Jan 16 16:01:10 EST 2009

In this issue:

1. January 2009 Security Updates
2. Vulnerabilities Addressed in MS08-067 Are Still Being Exploited
3. A Serious Flaw Found in Safari
4. Reported Breaches Up Nearly 50 Percent

-------------------------------------------
1. January 2009 Security Updates
-------------------------------------------

---- Microsoft ----

Microsoft has provided updates for just one critical vulnerability in  
the Microsoft Security Bulletin Summary for January 2009. Systems  
affected:

     * Microsoft Windows 2000, XP, and Vista
     * Microsoft Windows Server 2000, 2003, and 2008

In their bulletin for January 2009, Microsoft released updates to  
address vulnerabilities in the Server Message Block (SMB) Protocol  
that affects all supported versions of Microsoft Windows. A remote,  
unauthenticated attacker could gain elevated privileges, execute  
arbitrary code, or cause a denial of service. The threat is more  
severe for older versions of the operating system. These patches are  
now approved for deployment via MIT WAUS.

For more information on this update:
<http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx>

---- Apple ----

This month has not yet seen any security updates from Apple.

---- Oracle ----

Oracle has released updates for multiple vulnerabilities. For more  
information regarding affected product versions, please see the Oracle  
Critical Patch Update - January 2009.
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html 
 >

Oracle has associated CVE identifiers with the vulnerabilities  
addressed in this Critical Patch Update. The impact of these  
vulnerabilities varies depending on the product, component, and  
configuration of the system. Potential consequences include the  
execution of arbitrary code or commands, information disclosure, and  
denial of service. Vulnerable components may be available to  
unauthenticated, remote attackers. An attacker who compromises an  
Oracle database may be able to access sensitive information.

-----------------------------------------------------------------------------------
2. Vulnerabilities Addressed in MS08-067 Are Still Being Exploited
-----------------------------------------------------------------------------------

On October 23, 2008, Microsoft released an out-of-cycle patch MS08-067  
for a vulnerability in Windows. All Windows users were advised to  
download the update, however, three weeks after the public disclosure,  
approximately 300 MIT machines were still vulnerable. This week there  
remain about 68 machines unpatched on the MIT network. It is important  
that users download critical patches as they are released. IT Security  
Support staff have been persistent in notifying vulnerable machine  
owners of the situation.

If there is reason to believe a Windows machine in your area has not  
been patched against this vulnerability, please take the time to do so.

Some businesses that have not yet applied the patch issued in October  
have found their systems infected with a worm that uses a dictionary  
attack to crack user passwords; user accounts are locked out of Active  
Directory while the worm tries to find their passwords.  A removal  
tool is available, and users are urged to apply the patch as soon as  
possible. Other exploits similar to this one have also been identified.

Detailed information about this bulletin is available here:
<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>

-------------------------------------------
3. A Serious Flaw Found in Safari
-------------------------------------------

Apple's Safari browser on Windows and Mac OS X is vulnerable to a bug  
that could allow a malicious website to read files on the user's hard  
drive, according to a security researcher. There has been no patch  
released for this vulnerability.

Read the full story here:

<http://news.zdnet.co.uk/security/0,1000000189,39591617,00.htm>

This article provides recommended workarounds:

<http://brian.mastenbrook.net/display/27>

--------------------------------------------------------
4. Reported Breaches Up Nearly 50 Percent
--------------------------------------------------------

According to statistics gathered by the Identity Theft Resource  
Center, there were 656 data breaches reported by businesses, schools  
and governments in 2008, up from 446 in 2007, an increase of nearly 50  
percent.  Breaches at businesses accounted for 37 percent of the  
total, while breaches at schools accounted for 20 percent.  The  
percentage of breaches involving current and former employees more  
than doubled to 16 percent in 2008.  The top cause of breaches was  
human error, which includes lost or stolen laptops and data storage  
devices, and inadvertent exposure of data. [Article source: SANS]

Read the full story here:
<http://www.washingtonpost.com/wp-dyn/content/article/2009/01/05/AR2009010503046_pf.html 
 >

or here:
<http://www.techweb.com/article/showArticle?articleID=212700890>

Laptop and storage device theft also occurs on MIT's campus. To reduce  
the risk of theft, contact the MIT Crime Prevention Unit at <crimebite at mit.edu 
 >.

Locks and cables for computers and electronic devices can be obtained  
from MIT-preferred vendors KSL Security <http://www.kslsecurity.com>  
or Office Depot <http://www.officedepot.com> who provide MIT users  
with substantial discounts. KSL Security will even come on campus to  
install their locks and cables for you.

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you  
for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090116/2428fe19/attachment.htm