[IS&T Security-FYI] Newsletter, February 15, 2008

Monique Yeaton myeaton at MIT.EDU
Fri Feb 15 13:52:18 EST 2008 

In this issue:

1. February 2008 Security Updates
2. VirusScan 8.6 for Macintosh Released for MIT Community


--------------------------------------------
1. February 2008 Security Updates
--------------------------------------------

This month has seen a variety of software security patches from  
Microsoft, Apple, Mozilla, and Adobe. Here is a run-down of the  
products that were affected.

----Microsoft----

  * All supported versions of Windows
  * Microsoft Internet Explorer
  * Microsoft Office
  * Microsoft Visual Basic
  * Microsoft Internet Information Services (IIS)

The Security Bulletin from Microsoft released on February 12 included  
six critical and five important patches for the Windows operating  
system and Office products. These patches are now approved for  
deployment via MIT WAUS.

The most severe vulnerabilities could allow a remote, unauthenticated  
attacker to execute arbitrary code, gain elevated privileges, or  
cause a denial of service.

For more info:
<http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx>

  * Microsoft Office 2004 for Mac

Microsoft released Office 2004 for Mac 11.4.0 update on February 13.  
The update for Microsoft Office suite applications patches a  
vulnerability that could allow an attacker to overwrite a Mac's  
memory with malicious code.  It is available through Microsoft  
AutoUpdate on the operating system or the Microsoft Downloads for Mac  
web page.

For more info:
<http://www.microsoft.com/mac/downloads.mspx>

----Apple----

  * Apple Mac OS X versions prior to and including 10.4.11 and 10.5.1
  * Apple Mac OS X Server versions prior to and including 10.4.11 and  
10.5.1
  * Both Intel and PowerPC platforms

Apple has released Security Update 2008-001 and OS X version 10.5.2  
on February 12 to correct multiple vulnerabilities. Attackers could  
exploit these vulnerabilities to execute arbitrary code, gain access  
to sensitive information, or cause a denial of service.

Install Apple Security Update 2008-001 or Apple Mac OS X version  
10.5.2. These and other updates are available via Software Update on  
the operating system or via the Apple Downloads web page.

For more info:
<http://docs.info.apple.com/article.html?artnum=307430>

----Mozilla----

  * Firefox 2.0.0.11 and earlier

For those who read these newsletters regularly, you may remember the  
January 18 issue mentioned a spoofing bug in Firefox 2.0.0.11. This  
bug and a few others were addressed with the release of Firefox  
2.0.0.12 on February 7.

For more info:
<http://www.mozilla.com/en-US/firefox/2.0.0.12/releasenotes/>

----Adobe----

  * Adobe Reader version 8.1.1 and earlier
  * Adobe Acrobat Professional, 3D, and Standard versions 8.1.1 and  
earlier

Adobe released Security advisory APSA08-01 on February 6 to address  
multiple vulnerabilities affecting Adobe Reader and Acrobat. An  
attacker could exploit these vulnerabilities by convincing a user to  
load a specially crafted Adobe Portable Document Format (PDF) file.  
Acrobat integrates with popular web browsers, and visiting a web site  
is usually sufficient to cause Acrobat to load PDF content. At least  
one of these vulnerabilities is being actively exploited.

There are a few ways to mitigate this vulnerability:

1. Upgrade Adobe Reader or Acrobat to version 8.1.2 according to the  
information in Adobe Security advisory APSA08-01 (see link below).
2. Apply a workaround by disabling PDF documents from automatically  
being opened in a web browser with Acrobat or Reader. Applying the  
workaround in conjunction with upgrading may prevent similar  
vulnerabilities from being automatically exploited.

     1. Open Adobe Acrobat or Adobe Reader.
     2. Open the Edit menu. If using a Mac, open the menu just to the  
right of the Apple symbol.
     3. Choose the Preferences option.
     4. Choose the Internet section.
     5. De-select the "Display PDF in browser" check box.

For more info:
<http://www.adobe.com/support/security/advisories/apsa08-01.html>


------------------------------------------------------------------------ 
-----
2. VirusScan 8.6 for Macintosh Released for MIT Community
------------------------------------------------------------------------ 
-----

Information Services and Technology (IS&T) announced support for  
VirusScan 8.6 for Mac OS X users on February 6. VirusScan 8.6 is the  
virus protection application recommended by MIT for users of  
Macintosh OS X 10.4 and OS X 10.5 (Leopard).

While an argument can be made that Macintosh computers are less  
vulnerable to viruses than Windows computers, users of any computer  
are still susceptible to scams in which trickery is used to get a  
user to download an infected file or click on a link that leads to an  
exploited web page.

VirusScan 8.6 can be downloaded at no cost to MIT community members  
from:
<http://web.mit.edu/software/mac.html>

Regarding Leopard: IS&T recommends that you WAIT and not upgrade to  
Leopard until IS&T announces full support for Leopard early this  
year. If you have a new Macintosh with Leopard already preinstalled,  
IS&T will provide limited support.


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list