<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><DIV><BR class="khtml-block-placeholder"></DIV><DIV>It is once again a week of released Microsoft updates. Here is our summary on these latest as well as other vulnerabilities not related to Microsoft and announced by CERT (<A href="http://www.cert.org">www.cert.org</A>) which you will want to be aware of.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>-----------------------</DIV><DIV>Microsoft Patches</DIV><DIV>-----------------------</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>On Jan. 9, Patch Tuesday, Microsoft released updates for the following:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>- Windows</DIV><DIV>- Internet Explorer</DIV><DIV>- Outlook</DIV><DIV>- Excel for Windows and Mac OS X</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Descriptions of the vulnerabilities are available in Microsoft Security Bulletins MS07-001 through MS07-004. Three of these are listed as critical and one as important.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>A summary of the January 2007 bulletins can be found here:</DIV><DIV><<A href="http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx">http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx</A>></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>We recommend that users take the upgrades unless you have specific information indicating that it is incompatible with an application you need to use.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>These patches are now approved for deployment via MIT WAUS.</DIV><DIV><<A href="http://web.mit.edu/ist/topics/windows/updates/">http://web.mit.edu/ist/topics/windows/updates/</A>></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>To download all of the updates manually:</DIV><DIV>Visit Windows Update <<A href="http://go.microsoft.com/?LinkID=275655">http://go.microsoft.com/?LinkID=275655</A>> and click "Scan for updates."</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Visit the Protect your PC site <<A href="http://www.microsoft.com/athome/security/default.mspx">http://www.microsoft.com/athome/security/default.mspx</A>> to learn how to have the latest security updates delivered directly to your computer.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>The very best first line of defense against vulnerabilities is to take Microsoft patches automatically whenever feasible. We want to thank everyone who already uses Microsoft's Automatic Update Service or MIT's local Windows Automatic Update Service.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>-------------------</DIV><DIV>Microsoft Word</DIV><DIV>-------------------</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>As a follow up to the Word vulnerabilities reported in December 2006, Microsoft has not addressed this issue in the January release. Microsoft is closely monitoring this issue and concludes that the vulnerability is subject to very limited and targeted attacks. In order for an attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker. They strongly recommend users always exercise extreme caution when opening unsolicited attachments from known and unknown sources.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>---------------------</DIV><DIV>Apple QuickTime </DIV><DIV>---------------------</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>A vulnerability exists in the way Apple QuickTime handles specially crafted Real Time Streaming Protocol (RTSP) URL strings. This means that malicious code could exist on web pages that use a QuickTime plug-in or ActiveX control, a page that uses "rtsp://" protocol or in a file that is associated with the QuickTime Player. The vulnerability is not dependent on the web browser being used. Note that Apple iTunes and other software using QuickTime may also be affected. </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Systems affected:</DIV><DIV>- Microsoft Windows platforms</DIV><DIV>- Apple Mac platforms</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>There is currently no solution available for this problem. We recommend you do not access QuickTime (video) files from untrusted sources. </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>In order to convince users to visit their sites, attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>More on cross-site scripting can be found here: <<FONT class="Apple-style-span" size="3"><SPAN class="Apple-style-span" style="font-size: 12px;"><A href="http://en.wikipedia.org/wiki/Cross_site_scripting">http://en.wikipedia.org/wiki/Cross_site_scripting</A>></SPAN></FONT></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>We will track this QuickTime vulnerability and provide follow up information when a patch has been made available.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>------------------------------------------------------------</DIV><DIV>Adobe Acrobat Plug-in Version 7.0.8 and earlier</DIV><DIV>------------------------------------------------------------</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Several vulnerabilities exist in the Adobe Acrobat Plug-in. The Plug-in allows users to view PDF files inside of a web browser. A malicious file must be loaded in Adobe Reader by the end user for an attacker to exploit these vulnerabilities and take control of the affected system.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>We recommend you upgrade to Adobe Reader 7.0.9. If you have a version earlier than 7.0.8 you may need to install the incremental patch (see <A href="http://www.adobe.com">http://www.adobe.com</A>).</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>The IS&T department at MIT has made the 7.0.9 Adobe Reader version available on their downloads page. To view and download the latest supported software visit <<A href="http://web.mit.edu/software/mac.html">http://web.mit.edu/software/mac.html</A>> for Mac users, and <<A href="http://web.mit.edu/software/win.html">http://web.mit.edu/software/win.html</A>> for Windows users. </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>-----------</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>If you have any questions regarding any of these issues, please contact <A href="mailto:security@mit.edu">security@mit.edu</A>. I want to thank you for staying aware of IT Security issues. Let's make 2007 a safe computing year!</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Sincerely,</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR><DIV> <SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><DIV>Monique Yeaton</DIV><DIV>IT Security Awareness Consultant</DIV><DIV>MIT Information Services & Technology (IS&T)</DIV><DIV>N42-040, tel: (617) 253-2715</DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR class="Apple-interchange-newline"></SPAN></SPAN> </DIV><BR></BODY></HTML>