[IS&T Security-FYI] SFYI Newsletter, August 2, 2010

Mon Aug 2 13:09:12 EDT 2010

In this issue:

1. Fix To Be Released for Zero-Day Flaw in Windows Shell
2. Safari Updates AutoFill Flaw
3. McAfee and Microsoft Incompatibilities

--------------------------------------------------------------------------
1. Fix To Be Released for Zero-Day Flaw in Windows Shell
--------------------------------------------------------------------------

Microsoft is planning to release an out-of-band security update to address the vulnerability discussed in Security Advisory 2286198 on Monday, August 2, 2010 at or around 10 AM PDT. 

Microsoft is able to confirm that, in the past few days, there was an increase in attempts to exploit the vulnerability. Users running any of the supported Windows platforms should install the update, which will require a restart. The update has not yet been approved for deployment via MIT WAUS.

Announcement of the release by Microsoft:
<http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx>

Security advisory 2286198: <http://www.microsoft.com/technet/security/advisory/2286198.mspx>

---------------------------------------
2. Safari Updates AutoFill Flaw
---------------------------------------

Last week Apple issued updates for Safari 4 and 5 just one day before a scheduled presentation on one of the flaws at the Black Hat conference.  The updates fix 15 vulnerabilities, some of which could be exploited to allow arbitrary code execution or information disclosure.  Thirteen of the 15 patched flaws could be exploited in drive-by attacks, meaning no user interaction is required.  The flaw slated for presentation is an AutoFill vulnerability that could be exploited to disclose information. Jeremiah Grossman said the same vulnerability affects Internet Explorer.

The story in the news: 
<http://www.scmagazineus.com/safari-update-fixes-auto-fill-flaw-ahead-of-black-hat-talk/article/175727/>

----------------------------------------------------
3. McAfee and Microsoft Incompatibilities
----------------------------------------------------

The current McAfee anti-virus (AV) product available for Windows (VirusScan Enterprise 8.7i) does not support Microsoft Office 2010, in particular Microsoft Outlook 2010. 

As per the McAfee knowledgebase article of July 21, 2010:

Microsoft Office 2010 products, and Microsoft Outlook 2010 in particular, are currently not supported by VirusScan Enterprise (VSE) 8.7i. This means that any VSE issues related to Office 2010 applications are not supported. VSE 8.8 will support Microsoft 2010 products. VSE 8.8 is scheduled for release by the end of 2010.

What does this mean for anyone already using Office 2010 or planning to use it in the near future?

If you are running Office 2010 and VSE 8.7i, the AV software will NOT detect and scour viruses in Outlook including emails in HTML text and attachments
The AV software will NOT defend against threats that target Microsoft Office 2010 applications and services.

For this reason, IS&T does not recommend installing Microsoft Office 2010 on production machines and to wait until McAfee has completed its testing of the product and releases VSE 8.8.

The McAfee knowledgebase article: <https://kc.mcafee.com/corporate/index?page=content&id=KB69027>

===========================================================================

Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB>

Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20100802/64f249e5/attachment.htm