[IS&T Security-FYI] SFYI Newsletter, January 14, 2013

Monique Yeaton myeaton at MIT.EDU
Mon Jan 14 15:34:41 EST 2013 

In this issue:


1. About Java and its Risks

2. Microsoft Releases Out-of-Band Security Bulletin



------------------------------------

1. About Java and its Risks

------------------------------------


Last week a vulnerability in Oracle's Java 7 Update 10<http://www.computerworld.com/s/article/9235550/Attackers_are_now_exploiting_a_Java_zero_day_vulnerability> and earlier was detected. Apple subsequently addressed the issue through the anti-malware system built into OS X, disabling Java 7 plug-ins on Macs where it is already installed.


Oracle has now released Java 7 Update 11 to address the vulnerability. Users of Java can access the free update here<http://www.java.com/en/download/index.jsp>.


What is Java and its risks?

This Java issue brings up possible questions in people's minds. What is Java and why do I need it?<http://www.java.com/en/download/whatis_java.jsp> Java is a programming language and computing platform first released by Sun Microsystems in 1995. It is the underlying technology that powers programs including utilities, games, and business applications. To learn more about Java and to answer some of these questions, see the Oracle website<http://www.java.com/en/download/help/index.xml> or the PDF of this month's issue of OUCH! from SANS.org<http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201301_en.pdf>, dedicated entirely to Java.


Java has become a popular target for cyber criminals and they will use weaknesses in Java to attack computers that have it installed.


What do I do now?

You may have a plug-in for Java running in your browser. This was my experience with Java:


Within my Firefox browser I had a plug-in installed for Java Applet 14.5.0. I clicked the option "Check to see if your plug-ins are up to date" and was told by Mozilla that my Java Applet Plug-in is outdated. Clicking "Update" linked me to Oracle where the latest update is available. Instructions followed for how to update Java on my Mac. After I ran the installation, the plug-in in Firefox changed from Applet 14.5.0 to Java 7 Update 11.


Note that experiences will vary depending on the browser you have installed (Safari, Firefox, and Chrome address plug-ins differently from one another) and its version.


If you are unsure about whether you need to update Java, you can use this link<http://www.java.com/en/download/testjava.jsp>. If no message appears about the status of Java on your system, you can do what I did and see if you have a plug-in for Java in your browser<http://www.java.com/en/download/help/enable_browser.xml> (these will reside in what might be called "add-ons"). Then follow the steps above to update it. If you don't have Java installed on your system, you can access it from Oracle here<http://www.java.com/en/download/index.jsp>.


If you can do without Java, don't install it or go ahead and disable Java. If you can't do without it, the best thing to do is to make sure it is current. Windows users can do this by checking the Java icon in the Control Panel and confirming it is the latest version and is set for automatic updating. Mac users will need to update their version of Java themselves by going to the Oracle website<http://www.java.com/en/download/help/index_installing.xml?user_os=Macintosh%20OS%20X&user_jre=7.0>.



--------------------------------------------------------------------

2. Microsoft Releases Out-of-Band Security Bulletin

--------------------------------------------------------------------


Today (January 14) Microsoft is releasing an out-of-band security bulletin<http://technet.microsoft.com/en-us/security/bulletin/ms13-jan> to address vulnerabilities in the following systems:


  *   Internet Explorer 6, 7 and 8 on Windows XP, Vista and Windows 7 as well as on Windows Server 2003, 2008 and 2008 R2.


Internet Explorer 9 on Windows 8 systems are not affected.


The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.


Security updates are available from the Windows Update tool, the Windows Server Update Services or the Download Center. MIT WAUS subscribers will receive updates as they are tested and released.


===================================================================================

Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.

===================================================================================



Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20130114/41a6274f/attachment.htm

More information about the ist-security-fyi mailing list