[IS&T Security-FYI] Newsletter, September 14, 2007

Fri Sep 14 14:15:12 EDT 2007

In this issue:

1. Microsoft, Apple and Linux security alerts
2. MIT's Jeff Schiller to Speak at NERCOMP Event
3. Schools In the News: Johns Hopkins University -- Update
4. Tip of the Week: Patches Sent in Emails are Phony

-------------------------------------------------------
1. Microsoft, Apple and Linux security alerts
-------------------------------------------------------

Microsoft and Apple security updates were released earlier this  
month. Several Linux vulnerabilities have also been found in the past  
couple weeks. Here is a run-down of the products that were affected.

Microsoft:

  * Windows
  * Visual Studio
  * Windows Services for Unix
  * MSN Messenger

Microsoft released four security updates on Patch Tuesday that  
address vulnerabilities in several products. One of these was  
critical. Exploitation of these vulnerabilities could allow a remote,  
unauthenticated attacker to execute arbitrary code or cause a denial  
of service on a vulnerable system.

The patches are now approved for deployment via MIT WAUS. See <http:// 
web.mit.edu/ist/topics/windows/updates/> for more information on  
registering for MIT WAUS.

Learn more about this month's Microsoft security updates: <http:// 
www.microsoft.com/protect/computer/updates/bulletins/200709.mspx>

Apple:

  * iTunes 7.4

Apple has released updates for both the OS X and Windows versions of  
iTunes to address a remote code execution vulnerability in version  
7.4 of the media player.  The flaw lies in the cover art display  
system. By enticing a user to open a maliciously crafted music file,  
an attacker may trigger the overflow which may lead to an unexpected  
application termination or arbitrary code execution.

Learn more about this security update:  <http://docs.info.apple.com/ 
article.html?artnum=306404>

Linux:

  * BitchX 1.1
  * TCP Wrappers Libwrap0
  * Backup Manager
  * Linux Kernel
  * Red Hat Advanced Intrusion Detection Environment (AIDE)
  * debian-goodies

Note to Linux users: Vulnerabilities in products that run on Linux  
are often not listed in one particular report. Subscribe to the Red  
Hat watch list to get new security advisories for Red Hat products:  
<http://www.redhat.com/security/updates/advisory/> or subscribe to  
the SANS @Risk Consensus Security Vulnerability Alert (released  
weekly): <http://www.sans.org/newsletters/risk/>. The SANS alert  
includes vulnerabilities in all products, not just those that run on  
Linux.

----------------------------------------------------------------
2. MIT's Jeff Schiller to Speak at NERCOMP Event
----------------------------------------------------------------

MIT's own Network Manager, Jeff Schiller, will be speaking at a  
NERCOMP event covering Security Architectures in Higher Education.  
The event occurs on Monday, September 24, 2007 at 9:15 AM to 3:00 PM  
at the College of the Holy Cross in Worcester, MA. MIT community  
members can register for the reduced price of $73.

To learn more or to register see: <http://www.nercomp.org/events/ 
event_single.aspx?id=1226>

------------------------------------------------------------------------ 
---
3. Schools In the News: Johns Hopkins University -- Update
------------------------------------------------------------------------ 
---

Last week I covered a news story on this university. Here is an update.

The computer that was stolen from Johns Hopkins Hospital on July 15,  
2007 has been recovered.  A Baltimore lawyer turned the desktop  
computer over to hospital security; he learned of its location from a  
client, but could provide no more information as he was bound by  
attorney-client privilege.  A preliminary inspection indicated the  
computer was never turned on after it was stolen; the computer  
contains patient data. Johns Hopkins Hospital plans to bring in an IT  
forensics expert to conduct a thorough examination of the PC.
Full story: <http://www.baltimoresun.com/news/health/bal- 
computer0904,0,500185.story>

-------------------------------------------------------------------
4. Tip of the Week: Patches Sent in Emails are Phony
-------------------------------------------------------------------

Do not trust links in emails that claim to give you to a security  
update for your system. Hackers try using this method regularly, with  
the latest attempt occurring in June of this year. Windows users were  
receiving fake Microsoft security advisories that actually link to a  
malicious website. The message claims the link is a patch that is  
supposed to address the vulnerability, but instead of giving you a  
fix, it can give you a virus or can spy on your browsing activity.

Anti-virus software should be able to catch these files before they  
infect your computer, but make sure your virus protection software is  
up to date with the latest virus definitions and that your operating  
system is also updated. Most of all, do not trust a patch sent via  
email or click on links in emails claiming to be security patches.  
Microsoft and Apple never supply patches in this manner.

------------------------------------
Let us know how we're doing
------------------------------------

Do you find this communication helpful?  Are there other items of  
interest you would like to see included as well?  Please take a  
moment to let us know. <ist-security-fyi-owner at mit.edu>

Thank you,

Monique
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security