[IS&T Security-FYI] Newsletter, September 14, 2007
Monique Yeaton
myeaton at MIT.EDU
Fri Sep 14 14:15:12 EDT 2007
In this issue:
1. Microsoft, Apple and Linux security alerts
2. MIT's Jeff Schiller to Speak at NERCOMP Event
3. Schools In the News: Johns Hopkins University -- Update
4. Tip of the Week: Patches Sent in Emails are Phony
-------------------------------------------------------
1. Microsoft, Apple and Linux security alerts
-------------------------------------------------------
Microsoft and Apple security updates were released earlier this
month. Several Linux vulnerabilities have also been found in the past
couple weeks. Here is a run-down of the products that were affected.
Microsoft:
* Windows
* Visual Studio
* Windows Services for Unix
* MSN Messenger
Microsoft released four security updates on Patch Tuesday that
address vulnerabilities in several products. One of these was
critical. Exploitation of these vulnerabilities could allow a remote,
unauthenticated attacker to execute arbitrary code or cause a denial
of service on a vulnerable system.
The patches are now approved for deployment via MIT WAUS. See <http://
web.mit.edu/ist/topics/windows/updates/> for more information on
registering for MIT WAUS.
Learn more about this month's Microsoft security updates: <http://
www.microsoft.com/protect/computer/updates/bulletins/200709.mspx>
Apple:
* iTunes 7.4
Apple has released updates for both the OS X and Windows versions of
iTunes to address a remote code execution vulnerability in version
7.4 of the media player. The flaw lies in the cover art display
system. By enticing a user to open a maliciously crafted music file,
an attacker may trigger the overflow which may lead to an unexpected
application termination or arbitrary code execution.
Learn more about this security update: <http://docs.info.apple.com/
article.html?artnum=306404>
Linux:
* BitchX 1.1
* TCP Wrappers Libwrap0
* Backup Manager
* Linux Kernel
* Red Hat Advanced Intrusion Detection Environment (AIDE)
* debian-goodies
Note to Linux users: Vulnerabilities in products that run on Linux
are often not listed in one particular report. Subscribe to the Red
Hat watch list to get new security advisories for Red Hat products:
<http://www.redhat.com/security/updates/advisory/> or subscribe to
the SANS @Risk Consensus Security Vulnerability Alert (released
weekly): <http://www.sans.org/newsletters/risk/>. The SANS alert
includes vulnerabilities in all products, not just those that run on
Linux.
----------------------------------------------------------------
2. MIT's Jeff Schiller to Speak at NERCOMP Event
----------------------------------------------------------------
MIT's own Network Manager, Jeff Schiller, will be speaking at a
NERCOMP event covering Security Architectures in Higher Education.
The event occurs on Monday, September 24, 2007 at 9:15 AM to 3:00 PM
at the College of the Holy Cross in Worcester, MA. MIT community
members can register for the reduced price of $73.
To learn more or to register see: <http://www.nercomp.org/events/
event_single.aspx?id=1226>
------------------------------------------------------------------------
---
3. Schools In the News: Johns Hopkins University -- Update
------------------------------------------------------------------------
---
Last week I covered a news story on this university. Here is an update.
The computer that was stolen from Johns Hopkins Hospital on July 15,
2007 has been recovered. A Baltimore lawyer turned the desktop
computer over to hospital security; he learned of its location from a
client, but could provide no more information as he was bound by
attorney-client privilege. A preliminary inspection indicated the
computer was never turned on after it was stolen; the computer
contains patient data. Johns Hopkins Hospital plans to bring in an IT
forensics expert to conduct a thorough examination of the PC.
Full story: <http://www.baltimoresun.com/news/health/bal-
computer0904,0,500185.story>
-------------------------------------------------------------------
4. Tip of the Week: Patches Sent in Emails are Phony
-------------------------------------------------------------------
Do not trust links in emails that claim to give you to a security
update for your system. Hackers try using this method regularly, with
the latest attempt occurring in June of this year. Windows users were
receiving fake Microsoft security advisories that actually link to a
malicious website. The message claims the link is a patch that is
supposed to address the vulnerability, but instead of giving you a
fix, it can give you a virus or can spy on your browsing activity.
Anti-virus software should be able to catch these files before they
infect your computer, but make sure your virus protection software is
up to date with the latest virus definitions and that your operating
system is also updated. Most of all, do not trust a patch sent via
email or click on links in emails claiming to be security patches.
Microsoft and Apple never supply patches in this manner.
------------------------------------
Let us know how we're doing
------------------------------------
Do you find this communication helpful? Are there other items of
interest you would like to see included as well? Please take a
moment to let us know. <ist-security-fyi-owner at mit.edu>
Thank you,
Monique
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list