[2073] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, November 9, 2009
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon Nov 9 13:43:34 2009
Message-Id: <CBF1574B-3EB5-4317-9E45-11086FE72643@mit.edu>
From: Monique Yeaton <myeaton@mit.edu>
To: ist-security-fyi@mit.edu
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 9 Nov 2009 13:41:24 -0500
Cc: itss@mit.edu
Content-Type: multipart/mixed; boundary="===============1211853519=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============1211853519==
Content-Type: multipart/signed; boundary=Apple-Mail-43-312010938; micalg=sha1;
protocol="application/pkcs7-signature"
--Apple-Mail-43-312010938
Content-Type: multipart/alternative;
boundary=Apple-Mail-42-312010873
--Apple-Mail-42-312010873
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
In this issue:
1. November 2009 Security Patches
2. Scareware/Rogueware Revisited
3. Nigerian Scams to Decrease?
4. Major SSL Flaw
----------------------------------------------
1. November 2009 Security Patches
----------------------------------------------
---- Microsoft ----
Systems affected:
Microsoft Windows (not including Windows 7)
Windows Server (not including Windows Server 2008 R2)
Microsoft Office (all versions)
According to its Security Bulletin Advance Notification for November
2009, Microsoft plans to release six security bulletins on Tuesday,
November 10 to address 15 separate vulnerabilities. Three of the
bulletins are rated critical, three are rated important. The Microsoft
Office patch will address vulnerabilities in Word and Excel. No
updates have been released for Windows 7.
For details:
<http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx>
---- Apple ----
Apple released no security patches. The last security update was
2009-005, released on September 10.
---- Firefox ----
On November 5, Firefox 3.5.5 was released to address one critical
security bug. This update comes only a few weeks after the previous
update. On October 27, Mozilla had updated Firefox to version 3.5.4 to
address 16 security flaws, 11 of which were critical. Mozilla also
released Firefox 3.0.15, which contains nine fixes, four designated
critical. Mozilla plans to discontinue support for Firefox 3.0 in
January 2010.
Firefox 3.5.4: <http://www.computerworld.com/s/article/9140008/Mozilla_fixes_16_flaws_with_Firefox_3.5.4
>
Firefox 3.5.5: <http://lifehacker.com/5398096/firefox-355-update-fixes-critical-security-bug
>
---------------------------------------------
2. Scareware/Rogueware Revisited
---------------------------------------------
Scareware has been a prominent part of the Internet since 2004, when a
cybergang based in Russia launched the iframecash.biz website and
began offering commissions to anyone who helped them spread the
SpySheriff fake antivirus program. Hackers began to taint legitimate
websites so that pop-up ads for SpySheriff would launch on the PC of
anyone who visited a corrupted Web page.
By late last year, more than 9,200 different types of scareware
programs were circulating on the Internet, up from 2,800 at midyear,
according to The Anti-Phishing Working Group. A study by Symantec also
found that between July 2008 and June 2009, it received reports of 43
million attempts to install scareware on users PCs.
Typically the scareware attack, coupled with a rogueware attack, looks
like this: A pop up ad or link on the Internet shows a warning to
purchase the fake antivirus program. You can't cancel out of the
request. You are inundated with exhortations to purchase phony
antivirus software such as "Total Security 2009." You're also locked
out of nearly all applications until you purchase the disreputable
product. Once your PC is infected with the malware, the only program
you can open is Internet Explorer, so you can navigate to the site and
make a purchase. Your PC is basically held ransom until you purchase
the software. But even then, the software purchased often does nothing
to resolve the problem, trapping you in a malware quagmire.
And now scareware purveyors are embedding triggers in places you
wouldn't expect: on advertisements displayed at mainstream media
websites; amid search results from Google, Yahoo Search and Windows
Live search; alongside comments posted on YouTube videos; and, most
recently, in "tweets" circulating on Twitter.
Stories can be found here:
<http://www.usatoday.com/tech/news/2009-06-09-cybergangs-scareware-hackers_N.htm
>
<http://blogs.usatoday.com/technologylive/2009/10/new-twist-on-scareware-locks-up-your-pc.html
>
<http://www.pcworld.com/article/173765/a_rogue_demands_a_ransom.html>
<http://lastwatchdog.com/scareware-purveyors-advance-blackmail-creating-botnets/
>
-----------------------------------------
3. Nigerian Scams to Decrease?
-----------------------------------------
Operation Eagle Claw, a program developed by Nigeria's Economic and
Financial Crimes Commission, is promising to push the country out of
the top ten for fraudulent email. So far the program has seen members
of 18 syndicates arrested and 800 scam website shut down. Nigerian
police are working with Microsoft to fine tune the technology used to
check the emails.
Read the full story here:
<http://www.theregister.co.uk/2009/10/23/nigeria_police_success/>
------------------------
4. Major SSL Flaw
------------------------
Vendors and the Internet Engineering Task Force (IETF), have been
working on a fix since last month for a newly discovered vulnerability
in the SSL protocol that spans browsers, servers, smart cards, and
other products. "The bug results in a set of related attacks that
allow a man-in-the-middle to do bad things to your SSL/TLS
connection," according to Marsh Ray who first discovered the bug in
August. The IETF will issue a new extension for the SSL/TLS protocol
that fixes the bug.
Read the full story here:
<http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221600523
>
=
=
=
========================================================================
Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB
>
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you
for your password.
--Apple-Mail-42-312010873
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; min-height: 16px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; ">In =
this issue:</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">1. November 2009 Security =
Patches</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; ">2. Scareware/Rogueware Revisited</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; ">3. =
Nigerian Scams to Decrease?</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">4. Major SSL Flaw</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; min-height: 16px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
">----------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; ">1. =
November 2009 Security Patches</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; =
">----------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">---- Microsoft ----</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">Systems affected:</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div>
<ul style=3D"list-style-type: disc">
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px =
Arial">Microsoft Windows (not including Windows 7)</li>
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px =
Arial">Windows Server (not including Windows Server 2008 R2)</li>
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px =
Arial">Microsoft Office (all versions)</li>
</ul><p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; =
min-height: 16.0px"> <br class=3D"webkit-block-placeholder"></p><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
">According to its Security Bulletin Advance Notification for November =
2009, Microsoft plans to release six security bulletins on Tuesday, =
November 10 to address 15 separate vulnerabilities. Three of the =
bulletins are rated critical, three are rated important. The Microsoft =
Office patch will address vulnerabilities in Word and Excel. No updates =
have been released for Windows 7.</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; min-height: 16px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; ">For =
details:</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; "><<a =
href=3D"http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx">=
http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx</a>></=
div><div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: =
0px; margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; min-height: 16px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; ">---- =
Apple ----</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">Apple released no security =
patches. The last security update was 2009-005, released on September =
10.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; min-height: 16px; =
"><br></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; ">---- Firefox ----</div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; min-height: 16px; =
"><br></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; ">On November 5, Firefox 3.5.5 was released to =
address one critical security bug. This update comes only a few weeks =
after the previous update. On October 27, Mozilla had updated Firefox to =
version 3.5.4 to address 16 security flaws, 11 of which were critical. =
Mozilla also released Firefox 3.0.15, which contains nine fixes, =
four designated critical. Mozilla plans to discontinue support for =
Firefox 3.0 in January 2010.</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; min-height: 16px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
">Firefox 3.5.4: <<a =
href=3D"http://www.computerworld.com/s/article/9140008/Mozilla_fixes_16_fl=
aws_with_Firefox_3.5.4">http://www.computerworld.com/s/article/9140008/Moz=
illa_fixes_16_flaws_with_Firefox_3.5.4</a>></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
">Firefox 3.5.5: <<a =
href=3D"http://lifehacker.com/5398096/firefox-355-update-fixes-critical-se=
curity-bug">http://lifehacker.com/5398096/firefox-355-update-fixes-critica=
l-security-bug</a>></div><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; min-height: 16px; =
"><br></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; =
">---------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; ">2. =
Scareware/Rogueware Revisited</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; =
">---------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">Scareware has been a prominent part =
of the Internet since 2004, when a cybergang based in Russia launched =
the iframecash.biz website and began offering commissions to anyone who =
helped them spread the SpySheriff fake antivirus program. Hackers began =
to taint legitimate websites so that pop-up ads for SpySheriff would =
launch on the PC of anyone who visited a corrupted Web page.</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">By late last year, more than 9,200 =
different types of scareware programs were circulating on the Internet, =
up from 2,800 at midyear, according to The Anti-Phishing Working Group. =
A study by Symantec also found that between July 2008 and June 2009, it =
received reports of 43 million attempts to install scareware on users =
PCs.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">Typically the scareware =
attack, coupled with a rogueware attack, looks like this: A pop up ad or =
link on the Internet shows a warning to purchase the fake antivirus =
program. You can't cancel out of the request. You are inundated with =
exhortations to purchase phony antivirus software such as "Total =
Security 2009." You're also locked out of nearly all applications until =
you purchase the disreputable product. Once your PC is infected =
with the malware, the only program you can open is Internet Explorer, so =
you can navigate to the site and make a purchase. Your PC is basically =
held ransom until you purchase the software. But even then, the software =
purchased often does nothing to resolve the problem, trapping you in a =
malware quagmire.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">And now scareware purveyors =
are embedding triggers in places you wouldn't expect: on advertisements =
displayed at mainstream media websites; amid search results from Google, =
Yahoo Search and Windows Live search; alongside comments posted on =
YouTube videos; and, most recently, in "tweets" circulating on =
Twitter.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">Stories can be found =
here:</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; "><<a =
href=3D"http://www.usatoday.com/tech/news/2009-06-09-cybergangs-scareware-=
hackers_N.htm">http://www.usatoday.com/tech/news/2009-06-09-cybergangs-sca=
reware-hackers_N.htm</a>></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; "><<a =
href=3D"http://blogs.usatoday.com/technologylive/2009/10/new-twist-on-scar=
eware-locks-up-your-pc.html">http://blogs.usatoday.com/technologylive/2009=
/10/new-twist-on-scareware-locks-up-your-pc.html</a>></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; "><<a =
href=3D"http://www.pcworld.com/article/173765/a_rogue_demands_a_ransom.htm=
l">http://www.pcworld.com/article/173765/a_rogue_demands_a_ransom.html</a>=
></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; "><<a =
href=3D"http://lastwatchdog.com/scareware-purveyors-advance-blackmail-crea=
ting-botnets/">http://lastwatchdog.com/scareware-purveyors-advance-blackma=
il-creating-botnets/</a>></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; min-height: 16px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; =
">-----------------------------------------</div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">3. Nigerian Scams to =
Decrease?</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; ">-----------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">Operation Eagle Claw, a program =
developed by Nigeria's Economic and Financial Crimes Commission, is =
promising to push the country out of the top ten for fraudulent email. =
So far the program has seen members of 18 syndicates arrested and 800 =
scam website shut down. Nigerian police are working with Microsoft to =
fine tune the technology used to check the emails.</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">Read the full story here:</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; "><<a =
href=3D"http://www.theregister.co.uk/2009/10/23/nigeria_police_success/">h=
ttp://www.theregister.co.uk/2009/10/23/nigeria_police_success/</a>></di=
v><div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
min-height: 16px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; min-height: 16px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
">------------------------</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; ">4. Major SSL Flaw</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
">------------------------</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; min-height: 16px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
">Vendors and the Internet Engineering Task Force (IETF), have been =
working on a fix since last month for a newly discovered vulnerability =
in the SSL protocol that spans browsers, servers, smart cards, and other =
products. "The bug results in a set of related attacks that allow a =
man-in-the-middle to do bad things to your SSL/TLS connection," =
according to Marsh Ray who first discovered the bug in August. The IETF =
will issue a new extension for the SSL/TLS protocol that fixes the =
bug.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">Read the full story =
here:</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; "><<a =
href=3D"http://www.darkreading.com/security/vulnerabilities/showArticle.jh=
tml?articleID=3D221600523">http://www.darkreading.com/security/vulnerabili=
ties/showArticle.jhtml?articleID=3D221600523</a>></div><div><font =
class=3D"Apple-style-span" face=3D"Arial"><br></font></div><div><font =
class=3D"Apple-style-span" face=3D"Arial"><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Arial; =
">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">Find current and older issues =
of Security FYI Newsletter: <<a =
href=3D"http://kb.mit.edu/confluence/x/ehBB"><span =
style=3D"text-decoration: underline ; color: =
#2151aa">http://kb.mit.edu/confluence/x/ehBB</span></a>></div><div><br>=
</div><div><font class=3D"Apple-style-span" face=3D"Calibri" =
size=3D"4"><span class=3D"Apple-style-span" style=3D"font-size: =
14px;"><font class=3D"Apple-style-span" face=3D"Arial"><span =
class=3D"Apple-style-span" style=3D"font-size: =
medium;"><br></span></font></span></font></div></font></div><div =
apple-content-edited=3D"true"><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Calibri; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Calibri; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Calibri; font-size: 14px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div><div><div><div><div><div><div><div><div><div><div><div><br></div><d=
iv>Monique Yeaton</div><div>IT Security Awareness =
Consultant</div><div>MIT Information Services & Technology =
(IS&T)</div><div>(617) 253-2715</div><div><a =
href=3D"http://ist.mit.edu/security">http://ist.mit.edu/security</a></div>=
</div><div><br></div><div>---------------------------------------</div><di=
v><div><font class=3D"Apple-style-span" color=3D"#FF0000">Important: DO =
NOT GIVE OUT YOUR PASSWORDS! </font></div><div><font =
class=3D"Apple-style-span" color=3D"#FF0000">Ignore emails asking you to =
provide yours. IS&T will *NEVER* ask you for your =
password. </font></div></div></div></div></div></div></div></div></di=
v></div></div></div></div></span></div></span></div></span> =
</div><br></body></html>=
--Apple-Mail-42-312010873--
--Apple-Mail-43-312010938
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDwjCCA74w
ggMnoAMCAQICEQCgVkmJt2RPZFjUToeFtLUNMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNVBAYTAlVT
MRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0
ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxDbGllbnQgQ0EgdjEwHhcNMDkwNzA3MTkwNzQ1WhcN
MTAwNzMxMTkwNzQ1WjCBpTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAs
BgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxFTATBgNVBAsTDENs
aWVudCBDQSB2MTEXMBUGA1UEAxMOTW9uaXF1ZSBZZWF0b24xHjAcBgkqhkiG9w0BCQEWD215ZWF0
b25ATUlULkVEVTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5YyEmHtimNf2l9Swh7
azen1VDYTAHPef/hu8pDiEdf51i6i/1uiI7RCvzmGt8SRR3gwx1MuJt3TCKKX7kedPK8owWHRDO1
SQTG+RJHEKa8IeG/7Fk8kXFJqBYbk5sA8YOQOwmlG2x5ssMhfoPAxc44rh9tk4VfDgASGZXQITa+
8SwLG2JSFgUlnvEJAOrw8XRXRX78mgPwkydJQNhfK+ikYm2JtyqM5cSwgLxHh0XldWAI7P4csM79
LQcG4HQZRmTCVeMuy67KgNjtg/94O5AfwLkbP6hwvqsDsfr8aTwhbrhkayJnvXeY0L2X4i9AasVP
aAC4apVYBbIQr5mW4S8CAwEAAaOBoTCBnjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwCwYDVR0PBAQDAgXgMB0GA1UdDgQWBBRfbDIy
HJrY3A0bf+451r8D8oZXGjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY2EubWl0LmVkdS9jYS9t
aXRjbGllbnQuY3JsMA0GCSqGSIb3DQEBBQUAA4GBAIa1unH8mI8xbBDdr0Iqub03tHeb4/VWpsPq
GmhYH9vXRI6x7B+dAIwghm4gKo9y4d8qlgcx+1sLjRQ8DkZcXacX52a1eb1qYzXhzNGkxp4EEZIq
xYCHWJRYuitl+cpqVbS0Dxh/+gC5KL4LkMRJjQ6kP1ns99bdK132BxmyNX1+MYIDNjCCAzICAQEw
gYEwbDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoTJU1hc3Nh
Y2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxFTATBgNVBAsTDENsaWVudCBDQSB2MQIR
AKBWSYm3ZE9kWNROh4W0tQ0wCQYFKw4DAhoFAKCCAYkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH
ATAcBgkqhkiG9w0BCQUxDxcNMDkxMTA5MTg0MTI1WjAjBgkqhkiG9w0BCQQxFgQUpLbamctqZ+aH
R2f6O2pgCcnCAxIwgZIGCSsGAQQBgjcQBDGBhDCBgTBsMQswCQYDVQQGEwJVUzEWMBQGA1UECBMN
TWFzc2FjaHVzZXR0czEuMCwGA1UEChMlTWFzc2FjaHVzZXR0cyBJbnN0aXR1dGUgb2YgVGVjaG5v
bG9neTEVMBMGA1UECxMMQ2xpZW50IENBIHYxAhEAoFZJibdkT2RY1E6HhbS1DTCBlAYLKoZIhvcN
AQkQAgsxgYSggYEwbDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNV
BAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxFTATBgNVBAsTDENsaWVu
dCBDQSB2MQIRAKBWSYm3ZE9kWNROh4W0tQ0wDQYJKoZIhvcNAQEBBQAEggEAS8/1JpfEqLKKW9or
hZnHtkhMP72lhszdS3adXDrDoSuagBXfArCEjqFLAoSNQLmKUqkCIXCeBlF4MIFNGWQlzpfKfL0U
52Z97IUhxugFR2UKA5j6YIFFrJuVKMaxeszsQQSYSM0EbGLGlSXPqueHWv0uB4oJyEKqL31t69IA
GGYe8EMDhYxiB/EtXm2xgyOpO1NxSI3jLhwbDxWR18sLp+tIWlAcgjqGypCbOi2vYj2rCV7q4pPA
1bU/XELftipGtxuGXktiw/pcl0GdEtUDjnNbAWqrwjS1PXivybJiz8+t7tjl+S/+q1/GywMKauv2
zkzcLhUwGTgy/B2KjhidTAAAAAAAAA==
--Apple-Mail-43-312010938--
--===============1211853519==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1211853519==--
