[IS&T Security-FYI] Newsletter, March 15, 2007
Monique Yeaton
myeaton at MIT.EDU
Thu Mar 15 17:57:06 EDT 2007
Covered in this issue:
1. Microsoft Security Updates
2. Apple's Month of Patches
3. Tip: Unsafe USB Drives
---------------------------------------
1. Microsoft Security Updates
---------------------------------------
Microsoft canceled this month's Patch Tuesday... well, sort of. It
did push out a few patches including two "non-security, high-
priority" ones for Vista and updated its malicious software removal
tool. In spite of at least five existing zero-day software
vulnerabilities, most of the fixes will be pushed out to April. It
seems Microsoft needed more time to develop fixes for potential and
existing flaws.
The fixes you may have seen this past week include:
- Microsoft Malicious Software Removal Tool update
- New signatures for the Outlook 2003 and Outlook 2007 anti-spam filters
- Windows Vista Application Compatibility Update
- Revision to Windows Media Format 11 SDK (software developer's kit)
code
The updates were made available via the Microsoft Update and Windows
Update services as well as via Software Update Services (SUS) and
Windows Server Update Services (WSUS).
In other Microsoft news, Windows OneCare has been experiencing a few
problems. Windows OneCare is the company's anti-virus software. It
was reported recently that a bug deleted or quarantined all e-mail in
a user's Outlook inbox, in certain cases when it finds a virus. A fix
was released but the problem reappeared in version 1.5 of OneCare.
There are workarounds for users, such as preventing OneCare from
scanning Outlook's .PST file.
We suggest that, if feasible, MIT Windows users opt out of OneCare
and use McAfee VirusScan instead, a free download available from the
IS&T software page.
<http://itinfo.mit.edu/product?platform=Windows>
---------------------------------------
2. Apple's Month of Patches
---------------------------------------
As if to make up for Microsoft's lack of security patches this month,
Apple has fixed 45 security bugs in this month's massive security
update 2007-003. The systems affected include:
- Mac OS X version 10.3.9 and 10.4 or later
- Mac OS Server version 10.3.9 and 10.4 or later
The update installs OS X 10.4.9 on your sysem. Many of the fixes
included in this update address vulnerabilities in products from
other vendors that ship with Apple OS X or OS X Server including:
- Adobe Flash Player
- GNU Tar
- MySQL Server
- OpenSSH
- Sudo
The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.
This and other updates are available via Apple Update or via Apple
Downloads. A summary of this latest update is published by security
clearing house US CERT at:
<http://www.us-cert.gov/cas/techalerts/TA07-072A.html>
-----------------------------------
3. Tip: Unsafe USB Drives
-----------------------------------
Don't plug in USB drives that you find lying around. Criminals can
use them to steal your data.
In a social engineering test, people's natural curiosity and desire
to help were exploited by consultant Steve Stasiukonis, from Secure
Network Technologies, who was hired to check security awareness at a
credit union. He loaded malicious software on old thumbnail drives
and left the drives on the ground and tables in the parking lot and
smoking areas. Each time a curious, helpful person plugged any of the
thumb drives into his computer, it loaded software and reported who
had taken the bait. His test was harmless, but criminals can use the
same technique to take control of our computers.
The full story can be found at this link:
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
If you have any questions or comments, please email security at mit.edu.
Monique
More information about the ist-security-fyi
mailing list