[IS&T Security-FYI] Newsletter, February 15, 2008
Monique Yeaton
myeaton at MIT.EDU
Fri Feb 15 13:52:18 EST 2008
In this issue:
1. February 2008 Security Updates
2. VirusScan 8.6 for Macintosh Released for MIT Community
--------------------------------------------
1. February 2008 Security Updates
--------------------------------------------
This month has seen a variety of software security patches from
Microsoft, Apple, Mozilla, and Adobe. Here is a run-down of the
products that were affected.
----Microsoft----
* All supported versions of Windows
* Microsoft Internet Explorer
* Microsoft Office
* Microsoft Visual Basic
* Microsoft Internet Information Services (IIS)
The Security Bulletin from Microsoft released on February 12 included
six critical and five important patches for the Windows operating
system and Office products. These patches are now approved for
deployment via MIT WAUS.
The most severe vulnerabilities could allow a remote, unauthenticated
attacker to execute arbitrary code, gain elevated privileges, or
cause a denial of service.
For more info:
<http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx>
* Microsoft Office 2004 for Mac
Microsoft released Office 2004 for Mac 11.4.0 update on February 13.
The update for Microsoft Office suite applications patches a
vulnerability that could allow an attacker to overwrite a Mac's
memory with malicious code. It is available through Microsoft
AutoUpdate on the operating system or the Microsoft Downloads for Mac
web page.
For more info:
<http://www.microsoft.com/mac/downloads.mspx>
----Apple----
* Apple Mac OS X versions prior to and including 10.4.11 and 10.5.1
* Apple Mac OS X Server versions prior to and including 10.4.11 and
10.5.1
* Both Intel and PowerPC platforms
Apple has released Security Update 2008-001 and OS X version 10.5.2
on February 12 to correct multiple vulnerabilities. Attackers could
exploit these vulnerabilities to execute arbitrary code, gain access
to sensitive information, or cause a denial of service.
Install Apple Security Update 2008-001 or Apple Mac OS X version
10.5.2. These and other updates are available via Software Update on
the operating system or via the Apple Downloads web page.
For more info:
<http://docs.info.apple.com/article.html?artnum=307430>
----Mozilla----
* Firefox 2.0.0.11 and earlier
For those who read these newsletters regularly, you may remember the
January 18 issue mentioned a spoofing bug in Firefox 2.0.0.11. This
bug and a few others were addressed with the release of Firefox
2.0.0.12 on February 7.
For more info:
<http://www.mozilla.com/en-US/firefox/2.0.0.12/releasenotes/>
----Adobe----
* Adobe Reader version 8.1.1 and earlier
* Adobe Acrobat Professional, 3D, and Standard versions 8.1.1 and
earlier
Adobe released Security advisory APSA08-01 on February 6 to address
multiple vulnerabilities affecting Adobe Reader and Acrobat. An
attacker could exploit these vulnerabilities by convincing a user to
load a specially crafted Adobe Portable Document Format (PDF) file.
Acrobat integrates with popular web browsers, and visiting a web site
is usually sufficient to cause Acrobat to load PDF content. At least
one of these vulnerabilities is being actively exploited.
There are a few ways to mitigate this vulnerability:
1. Upgrade Adobe Reader or Acrobat to version 8.1.2 according to the
information in Adobe Security advisory APSA08-01 (see link below).
2. Apply a workaround by disabling PDF documents from automatically
being opened in a web browser with Acrobat or Reader. Applying the
workaround in conjunction with upgrading may prevent similar
vulnerabilities from being automatically exploited.
1. Open Adobe Acrobat or Adobe Reader.
2. Open the Edit menu. If using a Mac, open the menu just to the
right of the Apple symbol.
3. Choose the Preferences option.
4. Choose the Internet section.
5. De-select the "Display PDF in browser" check box.
For more info:
<http://www.adobe.com/support/security/advisories/apsa08-01.html>
------------------------------------------------------------------------
-----
2. VirusScan 8.6 for Macintosh Released for MIT Community
------------------------------------------------------------------------
-----
Information Services and Technology (IS&T) announced support for
VirusScan 8.6 for Mac OS X users on February 6. VirusScan 8.6 is the
virus protection application recommended by MIT for users of
Macintosh OS X 10.4 and OS X 10.5 (Leopard).
While an argument can be made that Macintosh computers are less
vulnerable to viruses than Windows computers, users of any computer
are still susceptible to scams in which trickery is used to get a
user to download an infected file or click on a link that leads to an
exploited web page.
VirusScan 8.6 can be downloaded at no cost to MIT community members
from:
<http://web.mit.edu/software/mac.html>
Regarding Leopard: IS&T recommends that you WAIT and not upgrade to
Leopard until IS&T announces full support for Leopard early this
year. If you have a new Macintosh with Leopard already preinstalled,
IS&T will provide limited support.
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security
More information about the ist-security-fyi
mailing list