[10232] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, July 14, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Mon Jul 14 15:36:58 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Mon, 14 Jul 2014 19:35:29 +0000
Message-ID: <CE111258-C4F3-4E1F-864B-860A83DF284D@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Cc: "<itss@mit.edu>" <itss@MIT.EDU>
Content-Type: multipart/mixed; boundary="===============1521139066=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============1521139066==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_CE111258C4F34E1F864B860A83DF284Dmitedu_"
--_000_CE111258C4F34E1F864B860A83DF284Dmitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Flash Player Updates & Microsoft Security Updates
2. Microsoft Revokes Unauthorized Certs
3. The Do=92s and Don=92ts of Email
------------------------------------------------------------------------
1. Flash Player Updates & Microsoft Security Updates
------------------------------------------------------------------------
ADOBE
Due to recent security vulnerabilities<http://helpx.adobe.com/security/prod=
ucts/flash-player/apsb14-17.html#table> in Flash Player, Adobe has released=
version 14.0.0.145<http://helpx.adobe.com/flash-player/release-note/fp_14_=
air_14_release_notes.html> (11.2.202.394 for Linux) this week for all platf=
orms. All operating systems on the now out-of-date versions are vulnerable =
and recommended to update to the latest version. Additionally because of th=
e severity of these vulnerabilities, Apple has blocked all out-of-date Flas=
h Player plug-ins for OS X.
>From Apple: =93Due to security issues in older versions, Apple has updated =
the web plug-in blocking mechanism to disable all versions prior to Flash P=
layer 14.0.0.145 and 13.0.0.231.=94
Install or check your version of Flash Player in your browser here.<http://=
helpx.adobe.com/flash-player.html>
For assistance, contact the Help Desk at 617.253.1101 or helpdesk@mit.edu<m=
ailto:helpdesk@mit.edu>. You can also submit a request online<http://ist.mi=
t.edu/help#form>.
MICROSOFT
Last week on Patch Tuesday, July 8th, Microsoft released six updates<https:=
//technet.microsoft.com/en-us/library/security/ms14-jul.aspx> to address 29=
security vulnerabilities.
Systems affected:
* Internet Explorer (all supported versions)
* Microsoft Windows (all supported versions)
There was also updated firmware for all Microsoft Surface tablets, labeled =
=93System Firmware Update - 7/8/2014,=94 available via Windows Update, impr=
oving various hardware issues.
Read the story in the news<http://www.theregister.co.uk/2014/07/08/microsof=
t_swats_29_bugs_adobe_updates_flash_for_patch_tuesday/>.
-------------------------------------------------------
2. Microsoft Revokes Unauthorized Certs
-------------------------------------------------------
Microsoft has issued an emergency update to revoke 45 of the unauthorized c=
ertificates from National Informatics Centre (NIC) of India. The updates re=
voke trust in three intermediary certificates from NIC so that all domain c=
ertificates, including some legitimate ones, will be invalid.
"These SSL certificates could be used to spoof content, perform phishing at=
tacks, or perform man-in-the-middle attacks against Web properties," a Micr=
osoft advisory<https://technet.microsoft.com/en-us/library/security/2982792=
> warned. "The subordinate CAs may also have been used to issue certificate=
s for other, currently unknown sites, which could be subject to similar att=
acks."
The update will be automatically delivered to PCs running Windows 8, 8.1, R=
T, RT 8.1, Server 2012, Server 2012 RS, Phone 8, and Phone 8.1.
Users running Windows 7, Vista, Server 2008, and Server 2008 RS may or may =
not have the automatic updater installed. See the Microsoft KB article 2677=
070<https://support.microsoft.com/kb/2677070> for details. Administrators c=
an find details in the KB article 2813430<https://support.microsoft.com/kb/=
2813430>.
There is presently no way to revoke the certificates for Windows 2003.
Read the story in the news<http://arstechnica.com/security/2014/07/emergenc=
y-windows-update-revokes-dozens-of-bogus-google-yahoo-ssl-certificates/>.
------------------------------------------
3. The Do=92s and Don=92ts of Email
------------------------------------------
The July issue of OUCH!, led by Guest Editor Dr. Eric Cole, discusses how w=
e can be our own worst enemy when using email, including accidentally email=
ing the wrong people, not understanding the difference between =93cc=94 and=
=93bcc=94 and the dreaded =93reply all.=94
Download the July issue of OUCH! (pdf)<http://www.securingthehuman.org/news=
letters/ouch/issues/OUCH-201407_en.pdf> and feel free to share with colleag=
ues.
Also, what should you do about all that spam?? Here=92s a video<http://ist.=
mit.edu/news/videos/spam_quarantine> created by IS&T with some tips on how =
to keep unwanted emails at bay.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_CE111258C4F34E1F864B860A83DF284Dmitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <7FB31A0FDD653342B4169B4E935A49FB@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;">In this i=
ssue:</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">1. Flash Player Updates &am=
p; Microsoft Security Updates</div>
<div style=3D"margin: 0px; font-family: Arial;">2. Microsoft Revokes Unauth=
orized Certs</div>
<div style=3D"margin: 0px; font-family: Arial;">3. The Do=92s and Don=92ts =
of Email</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
---------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Arial;">1. Flash Player Updates &am=
p; Microsoft Security Updates</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
---------------------------------------------</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">ADOBE</div>
<div style=3D"margin: 0px; font-family: Arial;">Due to <a href=3D"http://he=
lpx.adobe.com/security/products/flash-player/apsb14-17.html#table">
recent security vulnerabilities</a> in Flash Player, Adobe has released ver=
sion <a href=3D"http://helpx.adobe.com/flash-player/release-note/fp_14=
_air_14_release_notes.html">14.0.0.145</a> (11.2.202.394 for Linux) th=
is week for all platforms. All operating systems
on the now out-of-date versions are vulnerable and recommended to update t=
o the latest version. Additionally because of the severity of the=
se vulnerabilities, Apple has blocked all out-of-date Flash Player plug-ins=
for OS X. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">From Apple: =93Due to secur=
ity issues in older versions, Apple has updated the web plug-in blocking me=
chanism to disable all versions prior to Flash Player 14.0.0.145 and 13.0.0=
.231.=94</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Install or check your versi=
on of Flash Player in your browser
<a href=3D"http://helpx.adobe.com/flash-player.html">here.</a> </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">For assistance, contact the=
Help Desk at 617.253.1101 or
<a href=3D"mailto:helpdesk@mit.edu">helpdesk@mit.edu</a>. You can also <a h=
ref=3D"http://ist.mit.edu/help#form">
submit a request online</a>.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">MICROSOFT</div>
<div style=3D"margin: 0px; font-family: Arial;">Last week on Patch Tuesday,=
July 8th, Microsoft released
<a href=3D"https://technet.microsoft.com/en-us/library/security/ms14-jul.as=
px">six updates</a> to address 29 security vulnerabilities.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Systems affected:</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<ul>
<li style=3D"margin: 0px; font-family: Arial;">Internet Explorer (all suppo=
rted versions)
</li><li style=3D"margin: 0px; font-family: Arial;">Microsoft Windows (all =
supported versions)
</li></ul>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">There was also updated firm=
ware for all Microsoft Surface tablets, labeled =93System Firmware Update -=
7/8/2014,=94 available via Windows Update, improving various hardware issu=
es.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;"><a href=3D"http://www.there=
gister.co.uk/2014/07/08/microsoft_swats_29_bugs_adobe_updates_flash_for_pat=
ch_tuesday/">Read the story in the news</a>.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
----------------------------</div>
<div style=3D"margin: 0px; font-family: Arial;">2. Microsoft Revokes Unauth=
orized Certs</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
----------------------------</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Microsoft has issued an eme=
rgency update to revoke 45 of the unauthorized certificates from National I=
nformatics Centre (NIC) of India. The updates revoke trust in three interme=
diary certificates from NIC so that
all domain certificates, including some legitimate ones, will be invalid.<=
/div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">"These SSL certificate=
s could be used to spoof content, perform phishing attacks, or perform man-=
in-the-middle attacks against Web properties," a
<a href=3D"https://technet.microsoft.com/en-us/library/security/2982792">Mi=
crosoft advisory</a> warned. "The subordinate CAs may also have been u=
sed to issue certificates for other, currently unknown sites, which could b=
e subject to similar attacks."</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">The update will be automati=
cally delivered to PCs running Windows 8, 8.1, RT, RT 8.1, Server 2012, Ser=
ver 2012 RS, Phone 8, and Phone 8.1. </div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Users running Windows 7, Vi=
sta, Server 2008, and Server 2008 RS may or may not have the automatic upda=
ter installed. See the
<a href=3D"https://support.microsoft.com/kb/2677070">Microsoft KB article 2=
677070</a> for details. Administrators can find details in the
<a href=3D"https://support.microsoft.com/kb/2813430">KB article 2813430</a>=
.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">There is presently no way t=
o revoke the certificates for Windows 2003.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;"><a href=3D"http://arstechni=
ca.com/security/2014/07/emergency-windows-update-revokes-dozens-of-bogus-go=
ogle-yahoo-ssl-certificates/">Read the story in the news</a>.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
---------------</div>
<div style=3D"margin: 0px; font-family: Arial;">3. The Do=92s and Don=92ts =
of Email</div>
<div style=3D"margin: 0px; font-family: Arial;">---------------------------=
---------------</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">The July issue of OUCH!, le=
d by Guest Editor Dr. Eric Cole, discusses how we can be our own worst enem=
y when using email, including accidentally emailing the wrong people, not u=
nderstanding the difference between
=93cc=94 and =93bcc=94 and the dreaded =93reply all.=94</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;"><a href=3D"http://www.secur=
ingthehuman.org/newsletters/ouch/issues/OUCH-201407_en.pdf">Download the Ju=
ly issue of OUCH! (pdf)</a> and feel free to share with colleagues.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial;">Also, what should you do ab=
out all that spam??
<a href=3D"http://ist.mit.edu/news/videos/spam_quarantine">Here=92s a video=
</a> created by IS&T with some tips on how to keep unwanted emails=
at bay.</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Arial; min-height: 16px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><br>
</div>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<br>
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
</body>
</html>
--_000_CE111258C4F34E1F864B860A83DF284Dmitedu_--
--===============1521139066==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1521139066==--
