[2842] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, October 1, 2012
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon Oct 1 15:07:31 2012
From: Monique Yeaton <myeaton@mit.edu>
To: "ist-security-fyi@mit.edu" <ist-security-fyi@mit.edu>
Date: Mon, 1 Oct 2012 19:06:14 +0000
Message-ID: <CC8F50CB.2EB93%myeaton@exchange.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1968586931=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============1968586931==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_CC8F50CB2EB93myeatonexchangemitedu_"
--_000_CC8F50CB2EB93myeatonexchangemitedu_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Internet Explorer Patched by Microsoft
2. National Cybersecurity Awareness Month Events
3. Unpatched Vulnerabilities in Java Plug-In and Adobe Certificate
-------------------------------------------------------
1. Internet Explorer Patched by Microsoft
-------------------------------------------------------
If you use Internet Explorer and haven't yet applied the patch that was rel=
eased by Microsoft just over a week ago, you will want to do so now. Critic=
al patch MS12-063<http://technet.microsoft.com/en-us/security/Bulletin/MS12=
-063> applies to Internet Explorer versions 6 through 9. It does not affect=
Internet Explorer 10.
The vulnerability was discovered mid-September, and could allow the install=
ation of a backdoor Trojan when visiting compromised websites.
Microsoft released the patch on September 21. It is recommended to run Wind=
ows Update as soon as possibly to apply patch MS12-063.
--------------------------------------------------------------------
2. National Cybersecurity Awareness Month Events
--------------------------------------------------------------------
This month (National Cybersecurity Awareness Month, or NCSAM) you can incre=
ase cybersecurity awareness by attending events or participating in some of=
the activities being sponsored by Educause:
* October 4 National Cybersecurity Kickoff Webinar. Registration is fre=
e<http://www.educause.edu/events/educause-live-security-awareness-and-commu=
nication-c-suite> and you can do so online to attend on your own from your =
work station. Or just join us in E17 in the Learning Center, on October 4 a=
t 1 p.m. with the option to stay afterwards for a brief discussion on the t=
opic. The webinar is presented by Dave Cullinane, CISO at eBay (retired) an=
d co-founder of the Cloud Security Alliance, and will discuss challenges su=
ch as cloud security, privacy, compliance, BYOD, enterprise risk management=
and other issues currently faced by campuses.
* Student Video & Poster Contest - Educause in partnership with Interne=
t2 Higher Education Information Security Council (HEISC) is conducting a co=
ntest in search of short information security awareness videos and posters =
developed by college students for college students. The deadline for submis=
sion is March 8, 2012. Winners receive cash prizes and their video or poste=
r will be featured on the HEISC website. Details of this contest can be fou=
nd on the Educause website<http://www.educause.edu/focus-areas-and-initiati=
ves/policy-and-security/cybersecurity-initiative/community-engagement/infor=
mation-security-awareness->.
In the meantime, know that cybercrime is not a laughing matter, but here's =
a pretty humorous video about cyber criminals<http://www.youtube.com/watch?=
feature=3Dplayer_embedded&v=3D9nEwX7BUYdY>.
Have any ideas for how to increase awareness in your area? Let me know by w=
riting to me directly (myeaton@mit.edu). Otherwise, check out the NCSAM res=
ource kit<https://wiki.internet2.edu/confluence/display/itsg2/NCSAM+Resourc=
e+Kit> for ideas on how to plan for the month.
---------------------------------------------------------------------------=
-------------
3. Unpatched Vulnerabilities in Java Plug-In and Adobe Certificate
---------------------------------------------------------------------------=
-------------
An unpatched vulnerability has been spotted<http://www.informationweek.com/=
security/application-security/java-vulnerability-affects-1-billion-plu/2400=
07985> in all versions of Java. A security researcher from Security Explora=
tions announced the bug discovery last Tuesday. He claims the impact of the=
issue is critical and was able to successfully exploit it. An attacker cou=
ld use the exploit to run arbitrary code and remotely compromise a vulnerab=
le system. If you have a Java plug-in for your browser, you are vulnerable.=
See these steps on how to unplug Java from a browser<http://krebsonsecurit=
y.com/how-to-unplug-java-from-the-browser/>. Note that you may not be able =
to view websites properly with JavaScript disabled.
In other news, Adobe says it will revoke a code signing certificate<http://=
news.cnet.com/8301-1009_3-57521794-83/adobe-to-revoke-code-signing-certific=
ate/> after discovering malware that was digitally signed by the certificat=
e. Adobe is currently investigating what appears to be inappropriate use of=
an Adobe code signing certificate for Windows. A Microsoft spokeswoman sta=
ted: "Microsoft will take the appropriate action to help protect its custom=
ers," and said people should contact Adobe for more information. According =
to Adobe, the vast majority of Adobe software for Windows will not be affec=
ted. The revocation of the certificate affects the Windows platform and thr=
ee Adobe AIR applications that run on both Windows and Macintosh. More info=
rmation on the impact, and what to do, can be found on the Adobe support pa=
ge<http://helpx.adobe.com/x-productkb/global/certificate-updates.html>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Read all Security FYI Newsletter articles and submit comments online at htt=
p://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
--_000_CC8F50CB2EB93myeatonexchangemitedu_
Content-Type: text/html; charset="us-ascii"
Content-ID: <D9B08FF10554864EA85B15AE7BF7D201@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Garamond, sans-serif; ">
<div>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">In this issue:</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">1. Internet Explorer Pat=
ched by Microsoft</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">2. National Cybersecurit=
y Awareness Month Events</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">3. Unpatched Vulnerabili=
ties in Java Plug-In and Adobe Certificate</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
-------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">1. Internet Explorer Pat=
ched by Microsoft</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
-------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">If you use Internet Expl=
orer and haven't yet applied the patch that was released by Microsoft just =
over a week ago, you will want to do so now.
<a href=3D"http://technet.microsoft.com/en-us/security/Bulletin/MS12-063">C=
ritical patch MS12-063</a> applies to Internet Explorer versions 6 through =
9. It does not affect Internet Explorer 10.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">The vulnerability was di=
scovered mid-September, and could allow the installation of a backdoor Troj=
an when visiting compromised websites. </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Microsoft released the p=
atch on September 21. It is recommended to run Windows Update as soon as po=
ssibly to apply patch MS12-063.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
--------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">2. National Cybersecurit=
y Awareness Month Events</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
--------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">This month (National Cyb=
ersecurity Awareness Month, or NCSAM) you can increase cybersecurity awaren=
ess by attending events or participating in some of the activities being sp=
onsored by Educause: </p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<ul>
<li style=3D"margin: 0px; font-family: Helvetica; "><b>October 4 National C=
ybersecurity Kickoff Webinar</b>.
<a href=3D"http://www.educause.edu/events/educause-live-security-awareness-=
and-communication-c-suite">
Registration is free</a> and you can do so online to attend on your own fro=
m your work station. Or just join us in
<b>E17 in the Learning Center, on October 4 at 1 p.m</b>. with the option t=
o stay afterwards for a brief discussion on the topic. The webinar is prese=
nted by Dave Cullinane, CISO at eBay (retired) and co-founder of the Cloud =
Security Alliance, and will discuss
challenges such as cloud security, privacy, compliance, BYOD, enterprise r=
isk management and other issues currently faced by campuses.
</li><li style=3D"margin: 0px; font-family: Helvetica; "><b>Student Video &=
amp; Poster Contest</b> - Educause in partnership with Internet2 Higher Edu=
cation Information Security Council (HEISC) is conducting a contest in sear=
ch of short information security awareness
videos and posters developed by college students for college students. The=
deadline for submission is March 8, 2012. Winners receive cash prizes and =
their video or poster will be featured on the HEISC website.
<a href=3D"http://www.educause.edu/focus-areas-and-initiatives/policy-and-s=
ecurity/cybersecurity-initiative/community-engagement/information-security-=
awareness-">
Details of this contest can be found on the Educause website</a>. </li></ul=
>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">In the meantime, know th=
at cybercrime is not a laughing matter, but here's a pretty humorous
<a href=3D"http://www.youtube.com/watch?feature=3Dplayer_embedded&v=3D9=
nEwX7BUYdY">video about cyber criminals</a>.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Have any ideas for how t=
o increase awareness in your area? Let me know by writing to me directly (m=
yeaton@mit.edu). Otherwise, check out the
<a href=3D"https://wiki.internet2.edu/confluence/display/itsg2/NCSAM+Re=
source+Kit">
NCSAM resource kit</a> for ideas on how to plan for the month.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
----------------------------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">3. Unpatched Vulnerabili=
ties in Java Plug-In and Adobe Certificate</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
----------------------------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">An <a href=3D"http://www=
.informationweek.com/security/application-security/java-vulnerability-affec=
ts-1-billion-plu/240007985">
unpatched vulnerability has been spotted</a> in all versions of <b>Java</b>=
. A security researcher from Security Explorations announced the bug discov=
ery last Tuesday. He claims the impact of the issue is critical and was abl=
e to successfully exploit it. An
attacker could use the exploit to run arbitrary code and remotely compromi=
se a vulnerable system. If you have a Java plug-in for your browser, you ar=
e vulnerable. See these steps on
<a href=3D"http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/"=
>how to unplug Java from a browser</a>. Note that you may not be able to vi=
ew websites properly with JavaScript disabled.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">In other news, <b>Adobe<=
/b> says it will
<a href=3D"http://news.cnet.com/8301-1009_3-57521794-83/adobe-to-revoke-cod=
e-signing-certificate/">
revoke a code signing certificate</a> after discovering malware that was di=
gitally signed by the certificate. Adobe is currently investigating what ap=
pears to be inappropriate use of an Adobe code signing certificate for Wind=
ows. A Microsoft spokeswoman stated:
<span style=3D"font-size: 15px; ">"Microsoft will take the appropriate=
action to help protect its customers," and said people should contact=
Adobe for more information.</span> According to Adobe, the vast majority o=
f Adobe software for Windows will not be affected.
The revocation of the certificate affects the Windows platform and three A=
dobe AIR applications that run on both Windows and Macintosh. More<span sty=
le=3D"font-size: 15px; "> information on the impact, and what to do, can be=
found on the
<a href=3D"http://helpx.adobe.com/x-productkb/global/certificate-updates.ht=
ml">Adobe support page</a>.</span></p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Arial; ">=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p=
>
<p style=3D"margin: 0px; font-family: Arial; ">Read all Security FYI Newsle=
tter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
48, 244); ">http://securityfyi.wordpress.com/</span></a>.</p>
<p style=3D"margin: 0px; font-family: Arial; ">=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p=
>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
</div>
<div><span class=3D"Apple-style-span" style=3D"border-collapse: separate; f=
ont-family: Calibri; font-size: medium; border-spacing: 0px; "><span class=
=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacing: 0=
px; font-family: Helvetica; font-size: 14px; ">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; border=
-spacing: 0px; "><span class=3D"Apple-style-span" style=3D"border-collapse:=
separate; border-spacing: 0px; "><span class=3D"Apple-style-span" style=3D=
"border-collapse: separate; border-spacing: 0px; "><span class=3D"Apple-sty=
le-span" style=3D"border-collapse: separate; border-spacing: 0px; "><span c=
lass=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacin=
g: 0px; "><span class=3D"Apple-style-span" style=3D"border-collapse: separa=
te; border-spacing: 0px; font-size: 12px; ">
<div>Monique Yeaton</div>
<div>IT Security Communications Consultant</div>
<div>MIT Information Services & Technology (IS&T)</div>
<div>(617) 253-2715</div>
<div>http://ist.mit.edu/security</div>
<div><br class=3D"khtml-block-placeholder">
</div>
<br class=3D"Apple-interchange-newline">
</span></span></span></span></span></span></div>
</span></span></div>
</body>
</html>
--_000_CC8F50CB2EB93myeatonexchangemitedu_--
--===============1968586931==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1968586931==--
