Welcome to the Network Security website at the IAS

This website is intended to bring you the latest news, how to's, tools and resources in Information Security.  Security Awareness of our Faculty, Members and Staff is key in creating a safer computing environment.

The three major Principles of Information Security, Availability, Integrity and Confidentiality, will be covered throughout the security awareness program at the Institute.  For a description of these principles, please see our About section.

In keeping with the spirit of the Institute, I encourage questions and open discussions about security.  And if you discover anything out of the ordinary, please feel free to bring it to my attention so that we can work together to create a more productive, safer environment.

Thanks,
Brian Epstein <security@ias.edu>
twitter: @epepepep


Autocomplete Data Theft in Mozilla Firefox

http://www.securityfocus.com/archive/1/507668

"A malicious web page can extract out all the data stored within the
autocomplete history of a user's Firefox browser. The web page must
convince a user to hold down the left or right-arrow keys then the
contents of the autocomplete popup can be read. This may includes the
search history box within the browser, or other personal details."

"Mozilla fixed this issue in the 3.5.4 and 3.0.0.15 releases of Firefox."

Autocomplete Data Theft in Mozilla Firefox

http://www.securityfocus.com/archive/1/507668

"A malicious web page can extract out all the data stored within the
autocomplete history of a user's Firefox browser. The web page must
convince a user to hold down the left or right-arrow keys then the
contents of the autocomplete popup can be read. This may includes the
search history box within the browser, or other personal details."

"Mozilla fixed this issue in the 3.5.4 and 3.0.0.15 releases of Firefox."

Adobe Shockwave Player Multiple Remote Code Execution and Denial of Service Vulnerabilities

http://www.securityfocus.com/bid/36905

"Adobe Shockwave Player is prone to a multiple remote code-execution and
denial-of-service vulnerabilities.

Attackers can exploit these issues to execute arbitrary code in the
context of the currently logged-in user and to cause denial-of-service
conditions.

Versions prior to Shockwave Player 11.5.2.602 for Microsoft Windows and
Apple Mac OS X are vulnerable. "

Adobe Shockwave Player Multiple Remote Code Execution and Denial of Service Vulnerabilities

http://www.securityfocus.com/bid/36905

"Adobe Shockwave Player is prone to a multiple remote code-execution and
denial-of-service vulnerabilities.

Attackers can exploit these issues to execute arbitrary code in the
context of the currently logged-in user and to cause denial-of-service
conditions.

Versions prior to Shockwave Player 11.5.2.602 for Microsoft Windows and
Apple Mac OS X are vulnerable. "

Autocomplete Data Theft in Mozilla Firefox

http://www.securityfocus.com/archive/1/507668

"A malicious web page can extract out all the data stored within the
autocomplete history of a user's Firefox browser. The web page must
convince a user to hold down the left or right-arrow keys then the
contents of the autocomplete popup can be read. This may includes the
search history box within the browser, or other personal details."

"Mozilla fixed this issue in the 3.5.4 and 3.0.0.15 releases of Firefox."

Adobe Shockwave Player Multiple Remote Code Execution and Denial of Service Vulnerabilities

http://www.securityfocus.com/bid/36905

"Adobe Shockwave Player is prone to a multiple remote code-execution and
denial-of-service vulnerabilities.

Attackers can exploit these issues to execute arbitrary code in the
context of the currently logged-in user and to cause denial-of-service
conditions.

Versions prior to Shockwave Player 11.5.2.602 for Microsoft Windows and
Apple Mac OS X are vulnerable. "

Sun Java SE November 2009 Multiple Security Vulnerabilities

http://www.securityfocus.com/bid/36881

"Sun has released updates to address multiple security vulnerabilities
in Java SE.

Successful exploits may allow attackers to bypass certain security
restrictions, run untrusted applets with elevated privileges, execute
arbitrary code, and cause denial-of-service conditions. Other attacks
are also possible.

These issues are addressed in the following releases:

Sun Java SE November 2009 Multiple Security Vulnerabilities

http://www.securityfocus.com/bid/36881

"Sun has released updates to address multiple security vulnerabilities
in Java SE.

Successful exploits may allow attackers to bypass certain security
restrictions, run untrusted applets with elevated privileges, execute
arbitrary code, and cause denial-of-service conditions. Other attacks
are also possible.

These issues are addressed in the following releases:

Pages