[IS&T Security-FYI] Newsletter, March 15, 2007

Monique Yeaton myeaton at MIT.EDU
Thu Mar 15 17:57:06 EDT 2007 

Covered in this issue:

1. Microsoft Security Updates
2. Apple's Month of Patches
3. Tip: Unsafe USB Drives


---------------------------------------
1. Microsoft Security Updates
---------------------------------------

Microsoft canceled this month's Patch Tuesday... well, sort of. It  
did push out a few patches including two "non-security, high- 
priority" ones for Vista and updated its malicious software removal  
tool. In spite of at least five existing zero-day software  
vulnerabilities, most of the fixes will be pushed out to April. It  
seems Microsoft needed more time to develop fixes for potential and  
existing flaws.

The fixes you may have seen this past week include:

- Microsoft Malicious Software Removal Tool update
- New signatures for the Outlook 2003 and Outlook 2007 anti-spam filters
- Windows Vista Application Compatibility Update
- Revision to Windows Media Format 11 SDK (software developer's kit)  
code

The updates were made available via the Microsoft Update and Windows  
Update services as well as via Software Update Services (SUS) and  
Windows Server Update Services (WSUS).

In other Microsoft news, Windows OneCare has been experiencing a few  
problems. Windows OneCare is the company's anti-virus software. It  
was reported recently that a bug deleted or quarantined all e-mail in  
a user's Outlook inbox, in certain cases when it finds a virus. A fix  
was released but the problem reappeared in version 1.5 of OneCare.  
There are workarounds for users, such as preventing OneCare from  
scanning Outlook's .PST file.

We suggest that, if feasible, MIT Windows users opt out of OneCare  
and use McAfee VirusScan instead, a free download available from the  
IS&T software page.
<http://itinfo.mit.edu/product?platform=Windows>


---------------------------------------
2. Apple's Month of Patches
---------------------------------------

As if to make up for Microsoft's lack of security patches this month,  
Apple has fixed 45 security bugs in this month's massive security  
update 2007-003. The systems affected include:

- Mac OS X version 10.3.9 and 10.4 or later
- Mac OS Server version 10.3.9 and 10.4 or later

The update installs OS X 10.4.9 on your sysem. Many of the fixes  
included in this update address vulnerabilities in products from  
other vendors that ship with Apple OS X or OS X Server including:

- Adobe Flash Player
- GNU Tar
- MySQL Server
- OpenSSH
- Sudo

The impacts of these vulnerabilities vary. Potential consequences  
include remote execution of arbitrary code or commands, bypass of  
security restrictions, and denial of service.

This and other updates are available via Apple Update or via Apple  
Downloads. A summary of this latest update is published by security  
clearing house US CERT at:
<http://www.us-cert.gov/cas/techalerts/TA07-072A.html>


-----------------------------------
3. Tip: Unsafe USB Drives
-----------------------------------

Don't plug in USB drives that you find lying around.  Criminals can  
use them to steal your data.

In a social engineering test, people's natural curiosity and desire  
to help were exploited by consultant Steve Stasiukonis, from Secure  
Network Technologies, who was hired to check security awareness at a  
credit union.  He loaded malicious software on old thumbnail drives  
and left the drives on the ground and tables in the parking lot and  
smoking areas. Each time a curious, helpful person plugged any of the  
thumb drives into his computer, it loaded software and reported who  
had taken the bait.  His test was harmless, but criminals can use the  
same technique to take control of our computers.

The full story can be found at this link:
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

If you have any questions or comments, please email security at mit.edu.


Monique

More information about the ist-security-fyi mailing list