Microsoft Security Updates for August 2014

Last week Tuesday, Microsoft issued nine security bulletins to address a total of 37 security issues in its products. The bulletins include a cumulative update for Internet Explorer (IE) and fixes for vulnerabilities in Windows, Office, Share Point Server, SQL Server software, and .NET Framework.

One of the critical patches remediates the bulk of the vulnerabilities, including 26 bugs in IE, of which the most severe could allow remote code execution (RCE). The patch fixes IE 6 through 11. Next month a new security feature will be added to IE to deal with many of these repeat vulnerabilities. See the article on “Improved Security for Internet Explorer” in this newsletter below.

Read the full story in the news.

Over a Billion Stolen Credentials Amassed

Earlier this month, the NY Times reported that a Russian crime ring has amassed 1.2 billion user name and password combinations and more than 500 million email addresses from the Internet. According to security firm Hold Security, many of the sites from which the credentials were stolen are still vulnerable.

There is a concern among the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. Last December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from Target by Eastern European hackers. This latest discovery, however, prompts security experts to call for improved identity protection on the web.

Read the full story online.

As a result of the large amount of usernames and passwords that have fallen into the hands of criminals, one NY Times reporter came up with a two-step plan to prevent hackers from getting into his online accounts. He contacted all of the companies with which he does online financial transactions to find out if they support multi-factor authentication. He writes about his experience here.

If you are concerned about your online accounts and whether they are secure enough, you may want to take some similar steps or be proactive in other ways. One suggestion I would make — until all companies offer multi-factor authentication — is to update your passwords on a regular basis and manage them using a password storage manager, either LastPass, 1Password or KeePass.

Improved Security for Internet Explorer

On September 9, 2014, Internet Explorer will release a new security feature, called “out-of-date ActiveX control blocking.” ActiveX controls are apps that let Web sites provide content, like videos and games, and also let you interact with content such as toolbars. Unfortunately, many ActiveX controls are not automatically updated. Malicious and compromised Web pages can target outdated controls to collect information, install dangerous software, or let someone else control your computer remotely.

The new feature works with IE 8 through IE 11 on Windows 7 SP1 and up, and on Windows Server 2008 SP1 and up. As of September, only out-of-date Oracle Java ActiveX controls will be affected. All other ActiveX controls will continue their existing behavior.

More information about outdated ActiveX control blocking.

A Scam-Free Vacation

A lost ID card, using unknown wireless connections, stolen smartphone, skimmers, or laptop theft can ruin that glow you acquired while you were away. You don’t want to have to deal with identity theft or lost devices. These tips from the FTC provide some peace of mind for vacationers.

Top 25 Most Dangerous Software Errors and Common Weakness Enumeration (CWE) have come up with the top 25 most dangerous critical coding errors that can lead to serious vulnerabilities in software. They are often easy to find and exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. Although this list was compiled in 2011, the weaknesses listed are still the same today.

A run-down of the top 5:

  1. SQL Injection, ranked as number 1, is still the most common means of attack. For data-rich software applications, SQL injection is a way to steal the keys to the kingdom. A lot of software is all about the data: getting it into the database, pulling it from the database, massaging it into information, and sending it elsewhere for fun and profit. If attackers can influence the SQL that you use to communicate with your database, then suddenly all your fun and profit belongs to them. If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security. They could modify the queries to steal, corrupt, or otherwise change your underlying data. They’ll even steal data one byte at a time if they have to, and they have the patience and know-how to do so. In 2011, SQL injection was responsible for the compromises of many high-profile organizations, including Sony Pictures, PBS,, security company HBGary Federal, and many others.
  2. OS Command Injection is next, and is where the application interacts with the operating system. Your software is often the bridge between an outsider on the network and the internals of your operating system. When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing that program, then you are inviting attackers to cross that bridge into a land of riches by executing their own commands instead of yours.
  3. The classic buffer overflow is third. Buffer overflows are Mother Nature’s little reminder of that law of physics that says: if you try to put more stuff into a container than it can hold, you’re going to make a mess. The scourge of C applications for decades, buffer overflows have been remarkably resistant to elimination. However, copying an untrusted input without checking the size of that input is the simplest error to make in a time when there are much more interesting mistakes to avoid. That’s why this type of buffer overflow is often referred to as “classic.” It’s decades old, and it’s typically one of the first things you learn about in Secure Programming 101.
  4. Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. It’s pretty much inevitable when you combine the stateless nature of HTTP, the mixture of data and script in HTML, lots of data passing between web sites, diverse encoding schemes, and feature-rich web browsers. If you’re not careful, attackers can inject Javascript or other browser-executable content into a web page that your application generates. Your web page is then accessed by other users, whose browsers execute that malicious script as if it came from you (because, after all, it *did* come from you). Suddenly, your web site is serving code that you didn’t write. The attacker can use a variety of techniques to get the input directly into your server, or use an unwitting victim as the middle man (Man-in-the-Middle Attack) in a technical version of the “why do you keep hitting yourself?” game.
  5. Missing authentication for critical function is fifth. In countless action movies, the villain breaks into a high-security building by crawling through heating ducts or pipes, scaling elevator shafts, or hiding under a moving cart. This works because the pathway into the building doesn’t have all those nosy security guards asking for identification. Software may expose certain critical functionality with the assumption that nobody would think of trying to do anything but break in through the front door. But attackers know how to case a joint and figure out alternate ways of getting into a system.

See the full list and learn mitigations and preventions for all 25.

Personal Certificates Renewal Time

Every year at MIT personal web certificates expire on July 31. Renewal is not automatic, so for continued access to MIT’s secure web applications, such as Atlas, WebSIS, COEUS Lite, and ePaystubs, be sure to renew your certificate.

When you obtain your personal certificate, if you haven’t changed your password for over a year, you will be prompted to do so as an additional security measure. You may want to review password strength requirements before choosing a new one.

Certificates obtained after June 30, 2014 are valid until July 31, 2015.

A Year After Sophos Was Released to MIT

There are over 14,000 MIT computers currently running Sophos Anti-Virus. Computers include those in the WIN domain and self-administered MIT hosts. If you aren’t familiar with Sophos, when installed, the software runs in the background, with little to no interruption to your work. When Sophos finds an infected file, the software alerts you and locks the file. You can delete the file, using the Sophos Quarantine Manager. Because the client communicates to the Sophos Management Console (administered by IS&T), various useful pieces of information, such as the status and health of the Sophos client on a machine is provided to the console.


Get every new post delivered to your Inbox.

Join 60 other followers