[10229] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, June 10, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Tue Jun 10 11:42:44 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Tue, 10 Jun 2014 15:41:37 +0000
Message-ID: <1704331C-2064-474A-B556-893199D617A4@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1778466387=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============1778466387==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_1704331C2064474AB556893199D617A4mitedu_"
--_000_1704331C2064474AB556893199D617A4mitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Microsoft Security Updates for June 2014
2. Another Critical Flaw in OpenSSL Fixed
3. Securely Disposing of Mobile Devices
-----------------------------------------------------------
1. Microsoft Security Updates for June 2014
-----------------------------------------------------------
This week on Tuesday, June 10, Microsoft is releasing seven new security bu=
lletins<https://technet.microsoft.com/library/security/ms14-jun>. Two of th=
e bulletins are rated critical.
Microsoft systems that will be affected:
* Microsoft Windows (all current operating systems and servers)
* Internet Explorer (all supported versions)
* Microsoft Office (2007, 2010)
* Microsoft Lync Server
The critical patch for Internet Explorer addresses a zero-day flaw reported=
in May that targets IE 8<http://threatpost.com/microsoft-working-on-patch-=
for-ie-8-zero-day/106247>, but will be released as a cumulative patch, addr=
essing flaws in all supported versions of IE.
The second critical patch is for Microsoft Office and Microsoft Lync, the c=
ompany=92s messaging and video conferencing application. The vulnerability =
is rated critical for Lync 2013 and 2010, as well as Live Meeting 2007 Cons=
ole; it is rated important for Microsoft Office 2010 and Office 2007.
MIT WAUS<http://ist.mit.edu/waus> subscribers will receive the updates afte=
r they have been tested for compatibility within the MIT computing environm=
ent.
This month=92s bulletins do not include updates for Windows XP or Office 20=
03, as both are now retired and unsupported.
--------------------------------------------------------
2. Another Critical Flaw in OpenSSL Fixed
--------------------------------------------------------
The OpenSSL Project has released an update<https://isc.sans.edu/forums/diar=
y/Critical+OpenSSL+Patch+Available+Patch+Now+/18211> to address new vulnera=
bilities. The most serious of the bunch could be exploited in a man-in-the-=
middle (MitM) attack or to run arbitrary code. The disclosure of the Heartb=
leed vulnerability in the OpenSSL cryptographic library a few weeks ago dre=
w attention to the lack of support for the widely used open source software=
.
Experts do not believe this new flaw as threatening as the Heartbleed bug. =
The vulnerability, CVE-2014-0224, is considered dangerous because it enable=
s an attacker to decrypt and modify traffic between SSL/TLS clients and ser=
vers in a MitM attack. To exploit the bug, both the server and the client m=
ust be running vulnerable versions of OpenSSL.
Read the full story online<http://www.scmagazine.com/seven-vulnerabilities-=
addressed-in-openssl-update-one-enables-mitm-attack/article/351323/>.
------------------------------------------------------
3. Securely Disposing of Mobile Devices
------------------------------------------------------
The June issue of OUCH!, led by Guest Editor Chris Crowley, discusses how t=
o securely dispose of your mobile device. Most people do not realize just h=
ow much sensitive and personal information they have on their mobile device=
. If you are not careful about how you dispose of your older mobile devices=
, almost anyone can access that information.
Download the June issue of OUCH! (pdf)<http://www.securingthehuman.org/news=
letters/ouch/issues/OUCH-201406_en.pdf> and please feel free to share with =
colleagues.
Additional information about secure disposal and data sanitizing old equipm=
ent<http://kb.mit.edu/confluence/display/istcontrib/Removing+Sensitive+Data=
> can be found in the Knowledge Base.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_1704331C2064474AB556893199D617A4mitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <FFAFECACCD835B4BA62C3FFDAC814529@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div style=3D"margin: 0px; font-family: Helvetica;">In this issue:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Microsoft Security U=
pdates for June 2014</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Another Critical Fla=
w in OpenSSL Fixed</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Securely Disposing o=
f Mobile Devices</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Microsoft Security U=
pdates for June 2014</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">This week on Tuesday, J=
une 10, Microsoft is releasing
<a href=3D"https://technet.microsoft.com/library/security/ms14-jun">seven n=
ew security bulletins</a>. Two of the bulletins are rated critical. </=
div>
<div style=3D"margin: 0px; font-family: Helvetica;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Microsoft systems that =
will be affected:</div>
<ul>
<li style=3D"margin: 0px; font-family: Helvetica;">Microsoft Windows (all c=
urrent operating systems and servers)
</li><li style=3D"margin: 0px; font-family: Helvetica;">Internet Explorer (=
all supported versions)
</li><li style=3D"margin: 0px; font-family: Helvetica;">Microsoft Office (2=
007, 2010) </li><li style=3D"margin: 0px; font-family: Helvetica;">Microsof=
t Lync Server </li></ul>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The critical patch for =
Internet Explorer addresses a
<a href=3D"http://threatpost.com/microsoft-working-on-patch-for-ie-8-zero-d=
ay/106247">
zero-day flaw reported in May that targets IE 8</a>, but will be released a=
s a cumulative patch, addressing flaws in all supported versions of IE.&nbs=
p;</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The second critical pat=
ch is for Microsoft Office and Microsoft Lync, the company=92s messaging an=
d video conferencing application. The vulnerability is rated critical for L=
ync 2013 and 2010, as well as Live Meeting
2007 Console; it is rated important for Microsoft Office 2010 and Office 2=
007.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><span style=3D"text-dec=
oration: underline"><a href=3D"http://ist.mit.edu/waus">MIT WAUS</a></span>=
subscribers will receive the updates after they have been tested for compa=
tibility within the MIT computing environment. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">This month=92s bulletin=
s do not include updates for Windows XP or Office 2003, as both are now ret=
ired and unsupported.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. Another Critical Fla=
w in OpenSSL Fixed</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
---------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The OpenSSL Project <a =
href=3D"https://isc.sans.edu/forums/diary/Critical+OpenSSL+Patch=
3;Available+Patch+Now+/18211">
has released an update</a> to address new vulnerabilities. The most serious=
of the bunch could be exploited in a man-in-the-middle (MitM) attack or to=
run arbitrary code. The disclosure of the Heartbleed vulnerability in the =
OpenSSL cryptographic library a
few weeks ago drew attention to the lack of support for the widely used op=
en source software. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Experts do not believe =
this new flaw as threatening as the Heartbleed bug. The vulnerability, CVE-=
2014-0224, is considered dangerous because it enables an attacker to decryp=
t and modify traffic between SSL/TLS
clients and servers in a MitM attack. To exploit the bug, both the server =
and the client must be running vulnerable versions of OpenSSL.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.s=
cmagazine.com/seven-vulnerabilities-addressed-in-openssl-update-one-enables=
-mitm-attack/article/351323/">Read the full story online</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
-------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Securely Disposing o=
f Mobile Devices</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
-------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">The June issue of OUCH!=
, led by Guest Editor Chris Crowley, discusses how to securely dispose of y=
our mobile device. Most people do not realize just how much sensitive and p=
ersonal information they have on their
mobile device. If you are not careful about how you dispose of your older =
mobile devices, almost anyone can access that information. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.s=
ecuringthehuman.org/newsletters/ouch/issues/OUCH-201406_en.pdf">Download th=
e June issue of OUCH! (pdf)</a> and please feel free to share with colleagu=
es.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Additional information =
about <a href=3D"http://kb.mit.edu/confluence/display/istcontrib/Removing&#=
43;Sensitive+Data">
secure disposal and data sanitizing old equipment</a> can be found in the K=
nowledge Base.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<br>
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
</body>
</html>
--_000_1704331C2064474AB556893199D617A4mitedu_--
--===============1778466387==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1778466387==--
