[1044] in Security FYI
[IS&T Security-FYI] Newsletter, March 28, 2008
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Fri Mar 28 09:31:10 2008
Mime-Version: 1.0 (Apple Message framework v753)
Message-Id: <372656CC-7813-4F96-ACE8-438D3986B50E@mit.edu>
From: Monique Yeaton <myeaton@MIT.EDU>
Date: Fri, 28 Mar 2008 09:24:27 -0400
To: ist-security-fyi@MIT.EDU
Cc: itss@MIT.EDU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ist-security-fyi-bounces@MIT.EDU
In this issue:
1. Mozilla Security Updates
2. Security in Browser
----------------------------------
1. Mozilla Security Updates
----------------------------------
Products affected:
* Mozilla Firefox
* Mozilla Thunderbird
* Mozilla SeaMonkey
The Mozilla and the SeaMonkey projects have released Mozilla Firefox
2.0.0.13, Thunderbird 2.0.0.13, and SeaMonkey 1.1.9 this week to
address several vulnerabilities. An attacker could exploit these
vulnerabilities by convincing a user to view a specially crafted HTML
document, such as a web page or an HTML email message. The Firefox
update fixes six vulnerabilities, two of which were rated as critical
by Mozilla.
To download the latest Mozilla product, visit:
<http://www.mozilla.org/download.html>
-----------------------------
2. Security in Browsers
-----------------------------
Why is security in browsers so important? Because many attacks are
now designed to exploit the flaws in the browsers we use. Spoofing,
cross-site scripting, and malicious code installation are some of the
results of these exploits. So when a browser releases a new update,
it is always done to try to fix these kinds of holes where attacks
can be made.
The result of all these security features, however, is that although
users want web browsers that keep them safe on the Web from phishing,
malware, and web irritants such as popups, they'll stubbornly click
through warnings dialogs, ignore security indicators, and generally
behave in reckless ways in order to complete their tasks. Who could
blame them? Historically the techniques used in web browsers to
communicate to users about security has been a rogues' gallery for
the User Interface Hall of Shame. Security indicators are out of the
way and hard to interpret, terminology is relentlessly confusing, and
the responsibility for who decides what is safe and what isn't is
tossed into the user's lap like a hot potato.
In the recent release of Firefox 2.0.0.13 and last year's release of
IE7 users will notice the abundance of warning dialogs. Firefox
2.0.0.13 changed the default behavior of personal certificates to
prompt the user each time a web site requests a certificate. The old
behavior, of not prompting a user, made it easier for malicious web
site to track users' activities by requesting the client certificate,
even though they were from a different domain. To get past this
warning, you will need to select "OK" in response to this message
when visiting MIT pages that require a personal certificate.
Is this going to be tedious after a while? It may be. Those users who
have used Vista or IE7 will already be familiar with this type of
security behavior. It is important to stay aware of what you are
doing when on the Web. It's easy to be distracted and click "OK" even
when it might be better not to.
Tips on securing your web browser can be found on the US-CERT site here:
<http://www.us-cert.gov/reading_room/securing_browser/
browser_security.html#how_to_secure>
[portion of article source: Johnathan Nightingale, Mozilla Corporation]
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
