Welcome to the Network Security website at the IAS

This website is intended to bring you the latest news, how to's, tools and resources in Information Security.  Security Awareness of our Faculty, Members and Staff is key in creating a safer computing environment.

The three major Principles of Information Security, Availability, Integrity and Confidentiality, will be covered throughout the security awareness program at the Institute.  For a description of these principles, please see our About section.

In keeping with the spirit of the Institute, I encourage questions and open discussions about security.  And if you discover anything out of the ordinary, please feel free to bring it to my attention so that we can work together to create a more productive, safer environment.

Thanks,
Brian Epstein <security@ias.edu>
twitter: @epepepep


Attack exploits just-patched Mac security bug - Java Runtime Environment (JRE)

http://www.theregister.co.uk/2009/12/04/mac_windows_java_attack/

A proof of concept (POC) has been released that targets unpatched
Macintosh systems.

"If you haven't installed the latest security update for Mac OS X, now
would be a good time."

This is related to the security alert sent out yesterday [NET #1379]:

Study: Facebook users willingly give out data

http://news.cnet.com/8301-17939_109-10410257-2.html?tag=mncol;title

CNET reported on a recent study by Sophos about the web habits of Facebook users.  Their study found that 41-46% of users blindly accepted friend requests from two unknown people.  Sophos was then able to access "up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more."

Moderate: expat security update

http://rhn.redhat.com/errata/RHSA-2009-1625.html

"Updated expat packages that fix two security issues are now available for
Red Hat Enterprise Linux 3, 4, and 5."

"Two buffer over-read flaws were found in the way Expat handled malformed
UTF-8 sequences when processing XML files. A specially-crafted XML file
could cause applications using Expat to crash while parsing the file.
(CVE-2009-3560, CVE-2009-3720)"

Important: acpid security update

http://rhn.redhat.com/errata/RHSA-2009-1642.html

"An updated acpid package that fixes one security issue is now available
for Red Hat Enterprise Linux 5."

"Before applying this update, make sure that all previously-released
errata relevant to your system have been applied."

This flaw could lead to a local or compromised user to escalate privileges.

It is recommended to update this package.

Attack exploits just-patched Mac security bug - Java Runtime Environment (JRE)

http://www.theregister.co.uk/2009/12/04/mac_windows_java_attack/

A proof of concept (POC) has been released that targets unpatched
Macintosh systems.

"If you haven't installed the latest security update for Mac OS X, now
would be a good time."

This is related to the security alert sent out yesterday [NET #1379]:

Vulnerabilities in the Java Runtime Environment May Allow Privileges to be Escalated

http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1

"Multiple buffer and integer overflow vulnerabilities in the Java
Runtime Environment with processing audio and image files may allow an
untrusted applet or Java Web Start application to escalate privileges.
For example, an untrusted applet may grant itself permissions to read
and write local files or execute local applications that are accessible
to the user running the untrusted applet."

Vulnerabilities in the Java Runtime Environment May Allow Privileges to be Escalated

http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1

"Multiple buffer and integer overflow vulnerabilities in the Java
Runtime Environment with processing audio and image files may allow an
untrusted applet or Java Web Start application to escalate privileges.
For example, an untrusted applet may grant itself permissions to read
and write local files or execute local applications that are accessible
to the user running the untrusted applet."

Security Advisory for Adobe Flash Player (APSB09-19)

http://www.adobe.com/support/security/bulletins/apsb09-19.html

"Adobe is planning to release an update for Adobe Flash Player
10.0.32.18 and earlier versions, and an update to Adobe AIR 1.5.2 and
earlier versions, to resolve critical security issues. Adobe expects to
make these updates available on December 8, 2009."

Pages