[IS&T Security-FYI] SFYI Newsletter, March 28, 2011

Mon Mar 28 12:54:19 EDT 2011

In this issue:

1. Mozilla Releases Firefox 4

2. Apple Issues Security Updates

3. Event: Secure Coding Course in Boston

-------------------------------------

1. Mozilla Releases Firefox 4

-------------------------------------

IS&T at MIT strongly recommends that users WAIT to install Firefox 4 while testing is completed for compatibility with IS&T-supported software. The release review will be completed by the end of April 2011.

Staff in departments, labs and centers (DLCs) who maintain web applications will want to test their web sites, extensions, and applications to make sure they are compatible with Firefox 4. IS&T will work with DLCs to find appropriate solutions if you run into problems. Please contact the Firefox Release Team at firefox-release at mit.edu for assistance and to share your findings.

The updated browser includes a number of new security features. Content Security Policy (CSP), which is enabled by default, helps stop cross-site scripting (XSS), data injection and other web-based attacks. CSP allows sites to let the browser know what information is legitimate. Firefox 4 also lets users automatically connect to websites through secure connections with the HTTP Strict-Transport Security (HSTS) feature and allows users to opt out of behavioral tracking.

Read the story in the news:

<http://www.scmagazineus.com/firefox-4-includes-new-feature-for-thwarting-web-attacks/article/198992/>

------------------------------------------

2. Apple Issues Security Updates

------------------------------------------

On Tuesday, March 22, Apple released its first big update of 2011 for Mac OS X 10.5 and an update for Mac X 10.6 to version 10.6.7. The releases fix many of the same vulnerabilities, including one that was used to break into an iPhone at a hacking contest at a recent conference. Forty-five of the 56 flaws addressed in the update are critical, and nearly a quarter of the flaws could be exploited in "drive-by" attacks -- attacks that execute as soon as a user browses to a malicious website with an unpatched edition of Mac OS X.

Read the story in the news:

<http://www.computerworld.com/s/article/9214903/Update_Apple_patches_Pwn2Own_bug_55_others_in_Mac_OS>

------------------------------------------------------

3. Event: Secure Coding Course in Boston

------------------------------------------------------

SANS is providing a developer course aimed at software developers and architects, senior software QA specialists, systems and security administrators and penetration testers, as well as anyone with an interest in understanding the developers perspective to security.

What: Secure Coding in .NET: Developing Defensible Applications

When: May 2 - 5, 2011

Where: Courtyard Boston Downtown, 275 Tremont St, Boston MA 02116

Tuition: $2,535

CPEs: 24

Learn more: <http://www.sans.org/boston-2011-cs-2>

===========================================================================================

To read all current and archived articles online, visit the Security-FYI Blog at <http://securityfyi.wordpress.com/>

Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20110328/2010eeaf/attachment.htm