[IS&T Security-FYI] Security FYI Newsletter, January 21, 2015

Wed Jan 21 10:04:59 EST 2015

In this issue:

1. EVENT: Security SIG Lunch on February 18, 2015
2. Various Security Updates in January
3. Google and Microsoft Miscommunication?

----------------------------------------------------------------------
1. EVENT: Security SIG Lunch on February 18, 2015
----------------------------------------------------------------------

The next Security SIG has been scheduled. To go a bit further on the topic of hardening, we asked Anthony Grutta to give a presentation on securing web applications.

Topic: Web Application Security Best Practices
Speaker: Anthony Grutta, Senior Application Administrator in IS&T
Where: 37-252 (Marlar Lounge)
When: Wednesday, February 18, 2015, 12:00 - 1:30 pm

Lunch will be provided upon arrival and the presentation will begin around 12:15. There will be time for questions after the presentation. Please RSVP<mailto:Security_sig_events at mit.edu> if you plan on having lunch with us.

----------------------------------------------------
2. Various Security Updates in January
----------------------------------------------------

Microsoft

On Tuesday, January 13, Microsoft issued eight bulletins<http://www.computerworld.com/article/2868480/microsofts-patch-tuesday-focuses-on-windows.html>, including one marked critical, to address security issues in various versions of Windows. Included in the patches are fixes for two flaws in Windows 8.1 that Google recently disclosed as part of its Project Zero security program. Both flaws are also exploitable in other versions of Windows, although Google tested them in Windows 8.1 only. None of the bulletins address flaws in Internet Explorer, a rare occurrence for Microsoft.

Adobe

Adobe has issued fixes for nine flaws in Flash Player<http://www.computerworld.com/article/2868669/adobe-patches-remote-code-execution-and-keylogging-flaws-in-flash-player.html>. The flaws could be exploited to record keystrokes or take control of vulnerable systems. Flash Player 16.0.0.257 is available for Windows and Mac OS X, and FlashPlayer 11.2.202.429 is available for Linux. Flash will be automatically updated in Google's Chrome browser and in Internet Explorer running on Windows 8 and 8.1. Check your version at the Adobe site<http://www.adobe.com/software/flash/about/>.

Mozilla

Mozilla has released Firefox 35<http://www.scmagazine.com/gecko-media-plugin-sandbox-escape-among-vulnerabilities-fixed/article/392802/>. The latest version of the browser includes fixes for a number of security issues<https://www.mozilla.org/en-US/firefox/35.0/releasenotes/>  Several of the flaws have been rated critical. Mozilla has also issued updates for Firefox ESR, SeaMonkey, and Thunderbird.

-----------------------------------------------------------
3. Google and Microsoft Miscommunication?
-----------------------------------------------------------

Google’s Project Zero posted details of a vulnerability in Windows 8.1<https://code.google.com/p/google-security-research/issues/detail?id=118> after waiting for Microsoft to respond, to no avail, for 90 days. Once a vulnerability is public knowledge, it can be abused by attackers. Microsoft criticized Google<http://www.computerworld.com/article/2867564/microsoft-blasts-google-for-baring-windows-bugs-before-theyre-patched.html> for publicizing the flaw too early, saying the company had put Windows customers at risk.

According to Microsoft, it had specifically asked Google to withhold details of the flaw until January 13, Patch Tuesday, when the fix would be released. Microsoft patched two Windows vulnerabilities that were exposed by Google in MS15-001 and MS15-003.

With adherence to its 90-day policy, Google disclosed two additional vulnerabilities<http://www.computerworld.com/article/2870967/google-goes-public-with-more-windows-bugs.html> after last week Tuesday’s patches were released. One of them does not appear to be a security issue. The next Patch Tuesday is scheduled for February 10, when presumably the more serious of the two vulnerabilities will be patched.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20150121/50a56eb4/attachment.htm