[2267] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, May 10, 2010
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon May 10 13:25:28 2010
Message-Id: <0B4050B3-C36D-44E3-93EB-5C6777A383C2@mit.edu>
From: Monique Yeaton <myeaton@mit.edu>
To: ist-security-fyi@mit.edu
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 10 May 2010 13:24:30 -0400
Cc: itss@mit.edu
Content-Type: multipart/mixed; boundary="===============0274992158=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============0274992158==
Content-Type: multipart/alternative; boundary=Apple-Mail-90-999811114
--Apple-Mail-90-999811114
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
In this issue:
1. Microsoft Security Updates
2. Vulnerability in Microsoft SharePoint
3. Facebook Fixes Latest Privacy Setting Bug
-------------------------------------
1. Microsoft Security Updates
-------------------------------------
On Tuesday, May 11, Microsoft intends to release two new security
bulletins for the month, both of which are marked as critical.
Systems affected:
Windows 2000, XP, Vista and 7
Windows Server 2003, 2008, 2008 R2
Office XP, Office 2003, 2007
Visual Basic for Applications
Read the full bulletin:
<http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx>
-------------------------------------------------
2. Vulnerability in Microsoft SharePoint
-------------------------------------------------
Microsoft is investigating new reports of a zero-day vulnerability in
Microsoft Windows SharePoint Services 3.0 and Microsoft Office
SharePoint Server 2007. This vulnerability could allow an attacker to
run arbitrary script that could result in elevation of privilege
within the SharePoint site, as opposed to elevation of privilege
within the workstation or server environment. Criminals could use the
flaw to steal companies' confidential information.
Microsoft has not released a fix for this vulnerability and suggests a
workaround in the advisory. Microsoft also recommends that
administrators run Internet Explorer 8 which includes a cross-site
scripting filter that can reduce the exploit risk.
Read the full security advisory:
<http://www.microsoft.com/technet/security/advisory/983438.mspx>
The story in the news:
<http://www.computerworld.com/s/article/9176174/Microsoft_issues_work_around_advice_for_SharePoint_zero_day
>
---------------------------------------------------------
3. Facebook Fixes Latest Privacy Setting Bug
---------------------------------------------------------
Here's an ironic twist in a security setting by Facebook that allows
you to see how your friends view your profile information (the
'preview my profile' feature): this ability allowed people for a
limited time to see their friends' chats and pending friend requests.
Facebook temporarily removed the chat feature while it quickly fixed
the flaw.
The story in the news:
<http://eu.techcrunch.com/2010/05/05/video-major-facebook-security-hole-lets-you-view-your-friends-live-chats/
>
<http://news.cnet.com/8301-13577_3-20004213-36.html>
Facebook has been criticized heavily lately that it is exposing the
private details of its 400 million or so users more and more. For
example, the company came under fire for pushing profile data public
by default and sharing even more data with third-party partners.
Some of my readers have asked about security advice for using social
media sites. The answer I give is based on common sense behavior,
rather than involving technical safeguards. It is safe for users of
Facebook and other social media sites to assume that whatever they
post online will not be 100% private and that if they don't want
certain information out there for anyone to see, they should not post
it.
Software and website flaws, exploits, and people who will find ways to
use them to steal published information, will always exist (or
'friends' who turn out to not be true friends.) Users should play it
safe, and keep truly private information off the Internet.
Responses in the news to Facebook's privacy policies:
<http://news.cnet.com/8301-13577_3-20003928-36.html>
<http://www.eff.org/deeplinks/2010/04/facebook-timeline>
=
=
=
========================================================================
Find current and older issues of Security FYI Newsletter: <http://kb.mit.edu/confluence/x/ehBB
>
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
--Apple-Mail-90-999811114
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">In =
this issue:</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">1. =
Microsoft Security Updates</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">2. Vulnerability in Microsoft =
SharePoint</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; ">3. Facebook Fixes Latest Privacy Setting =
Bug</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; =
">-------------------------------------</div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Helvetica; ">1. Microsoft Security =
Updates</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; ">-------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">On Tuesday, May 11, Microsoft =
intends to release two new security bulletins for the month, both of =
which are marked as critical.</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">Systems affected:</div><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; min-height: 17px; "><br></div>
<ul style=3D"list-style-type: disc">
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px =
Helvetica">Windows 2000, XP, Vista and 7</li>
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px =
Helvetica">Windows Server 2003, 2008, 2008 R2</li>
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px =
Helvetica">Office XP, Office 2003, 2007</li>
<li style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px =
Helvetica">Visual Basic for Applications</li>
</ul><div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: =
0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">Read the full bulletin:</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
"><<a =
href=3D"http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx">=
http://www.microsoft.com/technet/security/bulletin/ms10-may.mspx</a>></=
div><div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: =
0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">-------------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">2. =
Vulnerability in Microsoft SharePoint</div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Helvetica; =
">-------------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">Microsoft is investigating new =
reports of a zero-day vulnerability in Microsoft Windows SharePoint =
Services 3.0 and Microsoft Office SharePoint Server 2007. This =
vulnerability could allow an attacker to run arbitrary script that could =
result in elevation of privilege within the SharePoint site, as opposed =
to elevation of privilege within the workstation or server environment. =
Criminals could use the flaw to steal companies' confidential =
information.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">Microsoft has not released a fix for this vulnerability and suggests a =
workaround in the advisory. Microsoft also recommends that =
administrators run Internet Explorer 8 which includes a cross-site =
scripting filter that can reduce the exploit risk.</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">Read the full security =
advisory:</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; "><<a =
href=3D"http://www.microsoft.com/technet/security/advisory/983438.mspx">ht=
tp://www.microsoft.com/technet/security/advisory/983438.mspx</a>></div>=
<div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">The story in the news:</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
"><<a =
href=3D"http://www.computerworld.com/s/article/9176174/Microsoft_issues_wo=
rk_around_advice_for_SharePoint_zero_day">http://www.computerworld.com/s/a=
rticle/9176174/Microsoft_issues_work_around_advice_for_SharePoint_zero_day=
</a>></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; =
">---------------------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; ">3. =
Facebook Fixes Latest Privacy Setting Bug</div><div style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Helvetica; =
">---------------------------------------------------------</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">Here's an ironic twist in a =
security setting by Facebook that allows you to see how your friends =
view your profile information (the 'preview my profile' feature): this =
ability allowed people for a limited time to see their friends' chats =
and pending friend requests. Facebook temporarily removed the chat =
feature while it quickly fixed the flaw. </div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">The story in the news:</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
"><<a =
href=3D"http://eu.techcrunch.com/2010/05/05/video-major-facebook-security-=
hole-lets-you-view-your-friends-live-chats/">http://eu.techcrunch.com/2010=
/05/05/video-major-facebook-security-hole-lets-you-view-your-friends-live-=
chats/</a>></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; "><<a =
href=3D"http://news.cnet.com/8301-13577_3-20004213-36.html">http://news.cn=
et.com/8301-13577_3-20004213-36.html</a>></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">Facebook has been criticized =
heavily lately that it is exposing the private details of its 400 =
million or so users more and more. For example, the company came under =
fire for pushing profile data public by default and sharing even more =
data with third-party partners.</div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">Some of my readers have asked about security advice for using social =
media sites. The answer I give is based on common sense behavior, rather =
than involving technical safeguards. It is safe for users of Facebook =
and other social media sites to assume that whatever they post online =
will not be 100% private and that if they don't want certain information =
out there for anyone to see, they should not post it. </div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
min-height: 17px; "><br></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal =
normal normal 14px/normal Helvetica; ">Software and website flaws, =
exploits, and people who will find ways to use them to steal published =
information, will always exist (or 'friends' who turn out to not be true =
friends.) Users should play it safe, and keep truly private information =
off the Internet.</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Helvetica; min-height: 17px; "><br></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
">Responses in the news to Facebook's privacy policies:</div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
"><<a =
href=3D"http://news.cnet.com/8301-13577_3-20003928-36.html">http://news.cn=
et.com/8301-13577_3-20003928-36.html</a>></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Helvetica; =
"><<a =
href=3D"http://www.eff.org/deeplinks/2010/04/facebook-timeline">http://www=
.eff.org/deeplinks/2010/04/facebook-timeline</a>></div><br><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; font: normal normal normal 14px/normal Arial; =
">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D</div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; font: normal normal normal =
14px/normal Arial; min-height: 16px; "><br></div><div style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: =
normal normal normal 14px/normal Arial; ">Find current and older issues =
of Security FYI Newsletter: <<a =
href=3D"http://kb.mit.edu/confluence/x/ehBB"><span =
style=3D"text-decoration: underline ; color: =
#2151aa">http://kb.mit.edu/confluence/x/ehBB</span></a>></div><div =
apple-content-edited=3D"true"> <div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Calibri; font-size: 14px; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div><div><div><br></div><div><br></div><div>Monique =
Yeaton</div><div>IT Security Awareness Consultant</div><div>MIT =
Information Services & Technology (IS&T)</div><div>(617) =
253-2715</div><div><a =
href=3D"http://ist.mit.edu/security">http://ist.mit.edu/security</a></div>=
<div><br></div><br></div></div><br></div></span><br =
class=3D"Apple-interchange-newline"></div><br =
class=3D"Apple-interchange-newline"> </div><br></body></html>=
--Apple-Mail-90-999811114--
--===============0274992158==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0274992158==--
