[2359] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, February 14, 2011
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon Feb 14 12:44:11 2011
From: Monique Yeaton <myeaton@mit.edu>
To: "ist-security-fyi@mit.edu" <ist-security-fyi@mit.edu>
Date: Mon, 14 Feb 2011 12:43:12 -0500
Message-ID: <C97ED396.10DE2%myeaton@exchange.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Cc: "itss@mit.edu" <itss@mit.edu>
Content-Type: multipart/mixed; boundary="===============0877154797=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============0877154797==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_C97ED39610DE2myeatonexchangemitedu_"
--_000_C97ED39610DE2myeatonexchangemitedu_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Adobe Fixes 42 Flaws in Reader and Flash
2. Security Update for Chrome 9
3. Facebook Goes to HTTPS
4. The Gawker Hack and Lessons Learned
----------------------------------------------------------
1. Adobe Fixes 42 Flaws in Reader and Flash
----------------------------------------------------------
Adobe's quarterly security update includes fixes for 29 flaws in Reader and=
13 in Flash. The release marks the first update for Reader X, an upgraded=
version of the PDF Reader that includes a sandboxing feature in the Window=
s version to protect users' systems from some attacks.
In computer security, a sandbox is a security mechanism for separating runn=
ing programs. It is often used to execute untested code, or untrusted progr=
ams from unverified third-parties, suppliers and untrusted users (Source: W=
ikipedia).
Most of the flaws in Reader are rated critical and two could allow cross-si=
te scripting (XSS) attacks. The updates bring Reader to versions 8.2.6, 9.=
4.2 and 10.0.1 for Windows and Mac OS X. An update for Linux is expected t=
o be available on February 28. Flash is now at version 10.2.152.26 for Win=
dows, Mac OS X, Linux and Solaris.
Users can download the recent versions from <http://www.adobe.com/downloads=
> or through the software update tools in Reader or Flash.
Read the Adobe security bulletin: <http://www.adobe.com/support/security/bu=
lletins/apsb11-03.html>
Learn about Adobe's Security Sandboxing feature:
<http://blogs.adobe.com/accessibility/2010/11/reader-x-accessibility-and-se=
curity-sandboxing.html>
-----------------------------------------
2. Security Update for Chrome 9
-----------------------------------------
Google has issued a security update for version 9 of its Chrome browser jus=
t days after Chrome 9 was released in its stable version. The fix addresse=
s five vulnerabilities, three of which are rated high priority. Chrome 9.0.=
597.94 also includes an updated version of Adobe Flash.
Download the most recent version for Windows, Mac OS X and Linux at <http:/=
/www.google.com/chrome>. Users who already have Chrome installed can use th=
e built-in update function.
Read the story in the news:
<http://www.h-online.com/security/news/item/Google-releases-Chrome-9-securi=
ty-update-1186749.html>
-------------------------------------
3. Facebook Goes to HTTPS
--------------------------------------
Facebook is getting a little more serious about security after the CEO's fa=
n page got hacked. Facebook wrote on their blog that they are rolling out t=
he option for users to access Facebook via a secure SSL (https) connection.=
According to the blog article, users need to go to their account settings =
and choose "secure browsing" from the account security section of the page.
This change is being rolled out over the next few weeks so not everyone wil=
l see the new option right away. The blog post does warn that the browsing =
experience may be slower (due to the encryption overhead) and that not all =
3rd party applications are compatible with secure SSL at this time.
Read the full story in the news:
<http://news.cnet.com/8301-13880_3-20030725-68.html>
-------------------------------------------------------
4. The Gawker Hack and Lessons Learned
-------------------------------------------------------
The December 2010 Gawker Media hack was successful due in part to poor pass=
word construction. The passwords were reportedly hash-encrypted. The main p=
urpose of password hashing encryption is to obscure your password from bein=
g sent as clear text over the network. But hash-encrypting does not prevent=
a hacker from using brute-force cracking tools. If your password is only 8=
-9 characters in length, or contains a dictionary word, then it can be hack=
ed in a matter of seconds using an offline password cracking tool.
Is your password strong enough to not get cracked? Find out how to create a=
strong password by applying the tips in this Hermes article: <http://kb.mi=
t.edu/confluence/x/3wNt>
Read the Gawker Media hack story in the news:
<http://www.pcworld.com/article/213438/gawker_media_hack_everything_you_nee=
d_to_know.html>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
To read all current and archived articles online, visit the Security-FYI Bl=
og at <http://securityfyi.wordpress.com/>
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
The IT Security Team moved on 2/11/11: Come see us in our new location at W=
92-236.
--_000_C97ED39610DE2myeatonexchangemitedu_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html><head></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode:=
space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-si=
ze: 14px; font-family: Calibri, sans-serif; "><div><div><div><p style=3D"ma=
rgin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height: 16.0px"><br>=
</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">In this is=
sue:</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">1. Adobe F=
ixes 42 Flaws in Reader and Flash</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">2. Securit=
y Update for Chrome 9</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">3. Faceboo=
k Goes to HTTPS</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">4. The Gaw=
ker Hack and Lessons Learned</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">----------=
------------------------------------------------</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">1. Adobe F=
ixes 42 Flaws in Reader and Flash</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">----------=
------------------------------------------------</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Adobe's qu=
arterly security update includes fixes for 29 flaws in Reader and 13 in Fla=
sh. The release marks the first update for Reader X, an upgraded=
version of the PDF Reader that includes a sandboxing feature in the Window=
s version to protect users' systems from some attacks. </p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">In compute=
r security, a sandbox is a security mechanism for separating running progra=
ms. It is often used to execute untested code, or untrusted programs from u=
nverified third-parties, suppliers and untrusted users (Source: Wikipedia).=
</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Most of th=
e flaws in Reader are rated critical and two could allow cross-site scripti=
ng (XSS) attacks. The updates bring Reader to versions 8.2.6, 9.=
4.2 and 10.0.1 for Windows and Mac OS X. An update for Linux is =
expected to be available on February 28. Flash is now at version=
10.2.152.26 for Windows, Mac OS X, Linux and Solaris.</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Users can =
download the recent versions from <http://www.adobe.com/downloads> or=
through the software update tools in Reader or Flash.</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Read the A=
dobe security bulletin: <http://www.adobe.com/support/security/bulletins=
/apsb11-03.html></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Learn abou=
t Adobe's Security Sandboxing feature: </p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><http:/=
/blogs.adobe.com/accessibility/2010/11/reader-x-accessibility-and-security-=
sandboxing.html></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">----------=
-------------------------------</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">2. Securit=
y Update for Chrome 9</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">----------=
-------------------------------</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Google has=
issued a security update for version 9 of its Chrome browser just days aft=
er Chrome 9 was released in its stable version. The fix addresse=
s five vulnerabilities, three of which are rated high priority. Chrome 9.0.=
597.94 also includes an updated version of Adobe Flash.</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Download t=
he most recent version for Windows, Mac OS X and Linux at <http://www.go=
ogle.com/chrome>. Users who already have Chrome installed can use the bu=
ilt-in update function.</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Read the s=
tory in the news: </p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><http:/=
/www.h-online.com/security/news/item/Google-releases-Chrome-9-security-upda=
te-1186749.html></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">----------=
---------------------------</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">3. Faceboo=
k Goes to HTTPS</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">----------=
----------------------------</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Facebook i=
s getting a little more serious about security after the CEO's fan page got=
hacked. Facebook wrote on their blog that they are rolling out the option =
for users to access Facebook via a secure SSL (https) connection. According=
to the blog article, users need to go to their account settings and choose=
"secure browsing" from the account security section of the page. </p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">This chang=
e is being rolled out over the next few weeks so not everyone will see the =
new option right away. The blog post does warn that the browsing experience=
may be slower (due to the encryption overhead) and that not all 3rd party =
applications are compatible with secure SSL at this time.</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Read the f=
ull story in the news: </p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><http:/=
/news.cnet.com/8301-13880_3-20030725-68.html></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">----------=
---------------------------------------------</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">4. The Gaw=
ker Hack and Lessons Learned</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">----------=
---------------------------------------------</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">The Decemb=
er 2010 Gawker Media hack was successful due in part to poor password const=
ruction. The passwords were reportedly hash-encrypted. The main purpose of =
password hashing encryption is to obscure your password from being sent as =
clear text over the network. But hash-encrypting does not prevent a hacker =
from using brute-force cracking tools. If your password is only 8-9 charact=
ers in length, or contains a dictionary word, then it can be hacked in a ma=
tter of seconds using an offline password cracking tool. </p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><b>Is your=
password strong enough to not get cracked?</b> Find out how to create a st=
rong password by applying the tips in this Hermes article: <http://kb.mi=
t.edu/confluence/x/3wNt></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">Read the G=
awker Media hack story in the news:</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial"><http:/=
/www.pcworld.com/article/213438/gawker_media_hack_everything_you_need_to_kn=
ow.html></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial">To read al=
l current and archived articles online, visit the Security-FYI Blog at <=
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"text-decoratio=
n: underline ; color: #3369b5">http://securityfyi.wordpress.com/</span></a>=
></p>
<p style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Arial; min-height=
: 16.0px"><br></p></div><div><div><br></div><div><font class=3D"Apple-style=
-span" color=3D"rgb(0, 0, 0)"><font class=3D"Apple-style-span" face=3D"Cali=
bri"><br></font></font></div><div><font class=3D"Apple-style-span" color=3D=
"rgb(0, 0, 0)"><font class=3D"Apple-style-span" face=3D"Calibri"><span clas=
s=3D"Apple-style-span" style=3D"font-size: 14px;"><span class=3D"Apple-styl=
e-span" style=3D"font-size: 12px; font-family: Helvetica; "><div style=3D"f=
ont-size: 12px; "><br></div><div style=3D"font-size: 12px; ">Monique Yeaton=
</div><div style=3D"font-size: 12px; ">IT Security Awareness Consultant</di=
v><div style=3D"font-size: 12px; ">MIT Information Services & Technolog=
y (IS&T)</div><div style=3D"font-size: 12px; ">(617) 253-2715</div><div=
style=3D"font-size: 12px; "><a href=3D"http://ist.mit.edu/security">http:/=
/ist.mit.edu/security</a></div><div style=3D"font-size: 12px; "><br></div><=
div style=3D"font-size: 12px; "><font class=3D"Apple-style-span" color=3D"#=
FC2218">The IT Security Team moved on 2/11/11: </font>Come see us in our ne=
w location at W92-236. </div></span></span></font></font></div></div><=
/div></div></body></html>
--_000_C97ED39610DE2myeatonexchangemitedu_--
--===============0877154797==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0877154797==--
