Hopefully it is already on your calendars, but a reminder that tomorrow is the 7th Annual Computer Security Awareness Symposium in the Idaho Commons Crest-Horizon rooms. We are excited to have notable presentations from Joe St Sauver and Justin Engler in addition to ITS staff, but I wanted to specifically mention Joe and Justin’s presentations.
Joe St Sauver serves as Manager for Internet2′s Nationwide Security Programs and Manager of InCommon’s Certificate Service under contract through the University of Oregon. His talk on SSL is extremely relevant given recent exploits for SSL/TLS and will explore how to both protect your server communications (especially if you use Apache), but also how a user can better protect themselves when using SSL. There is something in his 130(!) slides for everyone.
Justin Engler is a University of Idaho alumnus and a security consultant with Fishnet Security specializing in web application security. He recently presented at BlackHat and Defcon, and will be talking to us about top 10 web application-side weaknesses (OWASP top 10), and including lots of live demonstration!
I hope you all plan to attend and win prizes! (Grand prize is an APC 1000VA UPS provided by Zones.)
Other interesting security related items since our last note:
Adobe has released updates for Reader and Acrobat. This update fixes multiple vulnerabilities that allow privilege escalation or random code execution.
Adobe has released Flash 10.3.183 and then 11 and Air 3. They added 64-bit support in the 11 release, though a separate installer may be needed depending on your method.
There is now a patch out for the “byte range” DoS vulnerability in Apache, and a separate patch for a mod_proxy issue. Apache is used so darn many places, I bet we will chasing this one for quite some time, especially on those pesky appliances.
Apple has released iTunes 10.5, which addresses a whopping *79* vulnerabilities on Windows, and OS X 10.7.2 was released today which addresses many of the same vulnerabilities for the Mac. iTunes 10.5 also adds the iCloud features which will be available for iOS 5 devices on Friday.
A complete breach of trusted certificate vendor Diginotar has resulted in numerous updates to trusted certificates in all major browsers and operating systems. If you haven’t updated, you are vulnerable to all sorts of man-in-the-middle attacks.
Microsoft Advisory: http://technet.microsoft.com/en-us/security/advisory/2607712
Diginotar Audit: http://isc.sans.edu/diary.html?storyid=11512&rss
Mozilla: http://www.mozilla.org/en-US/firefox/6.0.2/releasenotes/ (they have since gone up to 7.0.1)
The last two Microsoft Black Tuesday overviews are available from SANS. Most notable are the IE updates.
Oracle released Java 6.0u27 (though it contains no security fixes over 6.0u26).
PHP released 5.3.7 then quickly rev’d to 5.3.8 to address security issues. Note that the 5.2 series is no longer supported.
Please send us all comments and feedback!
Mitch Parks, GSEC/GCWN/GCFE
ITS Desktop Security Analyst
ITS Desktop Security Assistant