Microsoft Office 2008 12.2.5 Update for Mac OS X

Microsoft has released security bulletin MS10-038. This security bulletin contains all the relevant information about the security updates for Microsoft Office 2008 for Mac OS X.  To view the complete security bulletin, visit the following Microsoft website:

http://www.microsoft.com/technet/security/bulletin/ms10-038.mspx

This update improves security. It includes fixes for vulnerabilities that an attacker can use to overwrite the contents of your computer’s memory with malicious code. Additionally, this update contains improvements that enhance the stability and performance of Office 2008 for Mac applications.

Improvements that are included in the update

The Office 2008 for Mac 12.2.5 Update includes the following improvements.  Improvements for all Microsoft Office 2008 for Mac applications.

  • Helps improve security
    This update fixes vulnerabilities in Office 2008 that an attacker can use to overwrite the contents of your computer’s memory with malicious code. For more information, see the security bulletin that is listed earlier in this document.
  • Custom dictionary is improved
    This update fixes issues that prevent the custom dictionary from including words from different languages.

Before you install the Office 2008 12.2.5 Update, make sure that the computer is running Mac OS X 10.4.9 (Tiger) or a later version of the Mac OS X operating system.

To verify that the computer meets this prerequisite, click About This Mac on the Apple menu.

Additionally, you must install Microsoft Office 2008 for Mac 12.1.0 Update before you install the Office 2008 for Mac 12.2.5 Update.

To verify the update that is installed on your computer, follow these steps:

  1. On the Go menu, click Applications.
  2. Open the Microsoft Office 2008 folder, and then open any Office application (for example, open Word).
  3. On the Word menu, click About Word.
  4. In the About Word dialog box, compare the version number next to Latest Installed Update.

The Office 2008 12.2.5 Update is also available from Microsoft AutoUpdate. AutoUpdate is a program that automatically keeps Microsoft software up-to-date.

To use AutoUpdate, start a Microsoft Office program. Then, on the Help menu, click Check for Updates.

THIS DOCUMENT APPLIES TO:
  • Microsoft Office 2008 for Mac
  • Microsoft Office 2008 for Mac Business Edition
  • Microsoft Office 2008 for Mac Home and Student Edition
  • Microsoft Office 2008 for Mac Special Media Edition
  • Microsoft Entourage 2008 for Mac
  • Microsoft Excel 2008 for Mac
  • Microsoft PowerPoint 2008 for Mac
  • Microsoft Word 2008 for Mac

Information Security vs Information Privacy

Information technology conflicting with personal and information privacy has been a major topic in recent months keeping privacy organizations including the Washington D.C. based Electronic Privacy Information Center (EPIC) busy as the premiere privacy watchdog in the U.S. For example, recent issues such as Google asking the NSA for assistance in the investigation of a cyber-attack that occurred on its network. In addition, the initial roll-out of Google’s social networking application “Buzz” that caused quit a stir due to how Google automatically suggested and added Gmail contacts to its followed list. Now, with recent allegations that the Lower Merion School District in PA used remote-controlled web cameras attached to laptops to spy on high school students has surfaced and is under investigations.<!– wp_ad_camp_1 –>

Information security and personal privacy has been increasingly important as our reliance to the Internet has grown in all areas including business and play.  Many people try to understand how much privacy they are you willing to give up for security and many people often confuse the concept of security and privacy to be synonymous.

Information privacy is an individuals claim that data about themselves should not be automatically available to other individuals and organizations while information security means protecting information from unauthorized access, use, disclosure, modification or destruction.

What are you view on information security and your information privacy? How much of your information privacy would you be willing to give up to ensure your information security level?

Types of Wireless Attacks

Standard wireless communication occurs when the end user and the wireless access point are able to communication on a point-to-point basis without interruptions. There are many attack variations in existence against wireless networks that breaks the standard communication format. These attacks includes the denial of service attacks, the man in the middle attacks and the WEP key-cracking attack to name a few and are described below.

Denial of Service (DoS) attacks
The objective of a Denial of Service (DoS) attack is to prevent authorized users access to legitimate network resources by denying them service. A DoS occurs when the malicious attacker sends an abundant of garbage data to the wireless access point choking all other communications to legitimate users.

Man-in-the-middle attacks
A man-in-the-middle attack consists of a malicious user (hacker) inserting themselves into the data path between the client and the AP. In such a position, the malicious attacker can delete, add, or modify data. The man-in-the middle attack also enables the malicious attacker access to sensitive information about legitimate users such as username and passwords, credit card numbers and social security.

War driving
Wardriving is the mapping of wireless access points (WAP) by driving or walking through populated areas carrying wireless equipment such as a laptop or a PDA to detect active wireless access points. The tools used for this are available freely off the Internet in the form of Netstumbler and Ministumbler (http://www.netstumbler.com/). Once the malicious attacker located vulnerable wireless access points, they are able to mount attacks to other locations under the cover the compromised network.

Wired Equivalent Privacy (WEP)
The Wired Equivalent Privacy (WEP) authentication consists of each frame being encrypted as it is transmitted to the wireless access point. WEP possess many deficiencies such as the ability to be compromised within a short period of time. Hackers can fairly easily decode WEP-encrypted information after monitoring an active network for less than one day. An application such as WEPCrack (wepcrack.sourceforge.net/) is a freely available tool often used to implement such an attack.

The Types of Hackers: Black Hat, White Hat or a Gray Hat Hacker, Which Type are you?

A white hat hacker is a computer and network expert who attacks a security system on behalf of its owners or as a hobby, seeking vulnerabilities that a malicious hacker could exploit. Instead of taking malicious advantage of exploits, a white hat hacker notifies the system’s owners to fix the breach before it is can be taken advantage of.

A black hat is a person who compromises the security of a computer system without permission from an authorized party, typically with malicious intent. A black hat will maintain knowledge of the vulnerabilities and exploits they find for a private advantage, not revealing them to the public or the manufacturer for correction.

A gray hat is a skilled hacker who sometimes will act legally and other times may not. They are a cross between white hat and black hat hackers. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits.

Which one are you?

Cloud Computing and Security Concerns

Cloud computing has been receiving a lot of press in the IT mainstream media lately and all indications points to it continuing to be a hot topic for some time. Gartner.com stated in an article “Significant innovations in virtualization and distributed computing, as well as improved access to high-speed Internet and a weak economy, have accelerated interest in cloud computing.

The concept of cloud computing pertains to an entity that involves delivering hosted services over the Internet. These services can be private or public and are divided into three categories:

Infrastructure-as-a-Service (IaaS)
Platform-as-a-Service (PaaS)
Software-as-a-Service (SaaS)
Infrastructure as a Service (IaaS) is a service in which an organization outsource the equipment used to support operations, including storage, servers and networking components. The service provider owns the equipment and is responsible for the operation and maintenance of it.

Platform as a Service (PaaS) is a service for which the development tool itself is hosted in the cloud and accessed through a browser. Developers can build web applications without installing any tools on their computer and then deploy those applications without any specialized systems administration skills.

Software as a Service (SaaS) is a software service application that allows users to purchase a software service to be used over the Internet that is developed and managed by an independent or third party. The software is not downloaded onto the user’s computer, but is simply accessed via an Application Programming Interface (API) over the World Wide Web with a login and a password.

Cloud Security

Due to the nature of cloud computing, many security concerns have been raised as researchers, security professional and management examines the models. Cloud computing does not allow the organization to physically possess their data on site unless it is backed up on a secondary storage device. Customers of the cloud-computing model need to be aware the service provider is conducting regular backups, have an incident response plan and have a disaster recovery plan in place. This is for continuity of business functions as well as the need for meeting regulatory compliance such as FISMA and HIPPA to name a few.

Cloud computing has the ability to assist many organizations, but intensive research, review and audits should be conducted before doing so. The organizations that choose to rely on using a cloud service model will have to consider additional responsibility to be able to understand the services being offered in order to understand the effects on their operations and security.

Computer Malware and Preventive Recommendations: Botnets

It’s often what we don’t know can hurt us the most…

That is the case when it comes to the effects of malware such as computer viruses, worms and Trojans.

Botnets are one of the fastest growing and the most dangerous threat on the Internet today. “Bot” stands for robot, which is a piece of software with some intelligence to perform a task and the “net” stands for network which is the collection of these individual bots under one controlling person called a bot herder.

The interesting thing is not all bots are bad, for example, intelligent software agents used in Microsoft Word or the ones used by search engine sites like Google are here to help the end user, whereas bots such as the Storm and Kragen botnet collection are here to disrupt end user activities.

The bots are small executable files that are very easy to spread. They can be spread through spam, music files located on file sharing systems, various Microsoft vulnerabilities that are not patched and host on a web site that pushes it to visitors in a technique call “drive-by download” (Very nasty and stealthy).

The thing that makes these bots so dangerous is their exponential growth factor. As more systems are infected, they also begin to scan to look for vulnerable system. Since additional computer systems use their recourses to recruit other systems, the growth can be enormous in a short period of time.

SecurityOrb.com, an information security media company based in the Washington, D.C. metro area recommends the following:
* Use a Mac OS X based system or even a Linux-based system if possible, if not

1. Make sure you have security controls in place (eg. Firewall, Anti-Virus, Anti-Spyware and IDS)
2. Make user they are licensed and updated regularly
3. Make sure you run them frequently or have them run at a time your computer will be on
4. Do not download free miscellaneous software from the Internet (eg. Screensavers and games)
5. Do not open attachments if you do not know from whom it is from or what the attachment is.
6. Just be smart

For more information on botnets, their effects and detailed recommendation to prevent and remove malware, check out https://securityorb.com/