[IS&T Security-FYI] SFYI Newsletter, August 30, 2010

Mon Aug 30 11:52:32 EDT 2010

In this issue:

1. Apple Issues OS X Security Update
2. Microsoft Releases Security Advisory for New Zero-Day Threat
3. Free iPad Scam

------------------------------------------------
1. Apple Issues OS X Security Update
------------------------------------------------

Apple has issued security update 2010-005 for OS X to address 13 security flaws. Eight of the flaws have been rated critical. The flaws could be exploited to execute arbitrary code, access sensitive data, create denial-of-service conditions or impersonate hosts within a domain.  The update affects Mac OS X 10.5.8 client and server and Mac OS X 10.6.4 client and server.

The update can be downloaded via Software Update or from the Apple Downloads page <http://support.apple.com/downloads/>.

Details of the update:
<http://support.apple.com/kb/HT4312>

In the news:
<http://www.scmagazineus.com/apple-releases-os-x-update-fixes-13-flaws/article/177505/>

-----------------------------------------------------------------------------------
2. Microsoft Releases Security Advisory for New Zero-Day Threat
-----------------------------------------------------------------------------------

Last week this newsletter included an article on the flaw found in many programs that run on Windows due to how they load external libraries, files known as dynamically linked libraries (DLLs). 

On August 23, Microsoft released Security Advisory 2269637 and a tool to block known exploits of the vulnerability. The advisory states that hackers will likely use so-call "DLL preloading attacks" or "binary planting" to take advantage of the vulnerabilities. Microsoft is reaching out to programmers and third party vendors to inform them of the mitigations available in the Windows operating system and is actively investigating which of its own applications may be affected.

More popularly known as DLL hijacking, these types of attacks occur when a program being run by a user asks for a .dll file every time it opens and doesn't do so via a secure path. The hacker knows that the program doesn't specify where Windows should find the .dll file, only what the .dll file is called, and that it should find it in order to run the program. Windows by default starts looking in the folder that contains the program, then goes to the systems folder, then the Windows folder, then the current directory, etc, looking for the file. If the hacker puts his own subverted .dll file on the system for the program to find instead, then you're hacked. This vulnerability underscores the importance of application programmers building security into all of their code.

This US-CERT article recommends some solutions:
<http://www.kb.cert.org/vuls/id/707943>

The Microsoft Advisory:
<http://www.microsoft.com/technet/security/advisory/2269637.mspx>

The InfoWorld article:
<http://www.infoworld.com/t/malware/heads-whole-new-class-zero-day-windows-vulnerabilities-looms-071>

------------------------
3. Free iPad Scam
------------------------

Facebook and Twitter users are complaining about their accounts being compromised and then being used to spam friends with suspicious free iPad offers. Twitter warned users of the scam, saying, "If you received a message promising you a new iPad, not only is there no iPad, but also your friends have been hacked."

The scam is also hitting Facebook users, according to the company's spokesman. "It's affecting an extremely small percentage of people on Facebook, but we take these threats seriously," Simon Axten said via email.

Online marketing programs pay cash for Web traffic, and hackers have found that by phishing victims and then using that information to break into legitimate Twitter and Facebook accounts, they can earn money. The spam is particularly effective because the message appears to come from a trusted source.

Read the full article:
<http://www.reuters.com/article/idUS62920422320100826>

===========================================================================

Find current and older issues of Security FYI Newsletter in Hermes at <http://kb.mit.edu/confluence/x/ehBB> or by visiting the Security FYI Blog at <http://securityfyi.wordpress.com/>

Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20100830/dcd868d7/attachment.htm