[IS&T Security-FYI] Newsletter, April 20, 2007

Fri Apr 20 12:09:21 EDT 2007

In this issue:

1. CERT: Apple Updates for Multiple Vulnerabilities
2. Follow up to Last Week's Tip

----------------------------------------------------------------
1. CERT: Apple Updates for Multiple Vulnerabilities
----------------------------------------------------------------

This message is copied from the CERT Technical Cyber Security Alert  
TA07-109A received on April 19:

Systems Affected

* Apple Mac OS X version 10.3.9 and 10.4.9
* Apple Mac OS X Server version 10.3.9 and 10.4.9
* Both Intel-based and PowerPC-based Apple systems

Overview

Apple has released Security Update 2007-004 to correct multiple  
vulnerabilities affecting Apple Mac OS X and Mac OS X Server. The  
most serious of these vulnerabilities may allow a remote attacker to  
execute arbitrary code. Attackers may take advantage of the less  
serious vulnerabilities to bypass security restrictions or cause a  
denial of service.

I. Description
Apple Security Update 2007-004 addresses a number of vulnerabilities  
affecting Apple Mac OS X and OS X Server. Further details are  
available in the related vulnerability notes.

Several of the fixes included in this update address vulnerabilities  
in products from other vendors that ship with Apple OS X or OS X  
Server. These products include
* GNU Tar
* MIT Kerberos

II. Impact
The impacts of these vulnerabilities vary. Potential consequences  
include remote execution of arbitrary code or commands, bypass of  
security restrictions, and denial of service.

III. Solution
Install Apple Security Update 2007-004. This and other updates are  
available via Software Update or via Apple Downloads <http:// 
www.apple.com/support/downloads/>.

More about the Security Update 2007-004:
<http://docs.info.apple.com/article.html?artnum=305391>

---------------------------------------
2. Follow up to Last Week's Tip
---------------------------------------

In last week's Tip, which discussed how to protect a new PC from  
becoming infected when first connecting to the Internet, I included  
information that made the instructions difficult to follow.

Step 1 mentions to include on the start up CD-ROM any new patches for  
the operating system and for the software already installed on your  
new PC. I realized from reader response that saving Windows patches  
to a CD is something that the average PC user may not know how to do.  
It would be difficult to actually carry out this portion of this step  
without more detailed instructions.

To make it easier to carry out Step 1, I suggest that you burn the  
anti-virus software to the CD but skip adding the Windows or software  
patches to the CD.

Continue with Step 2 and don't forget as part of Step 2 to remove  
existing and promotional anti-virus or anti-spyware software from the  
new PC as well.

Skip Step 3, as this relates to the Windows patches in Step 1 and  
continue with Steps 4 and 5.

As a new step, Step 6, realize that your new PC is now armed with  
both the firewall and anti-virus software and is already strongly  
protected. Make sure a password for the administrator account has  
been established which limits access to the system's root directory.  
You can also start transferring over all software and files from your  
old computer, which can be easily done with an ethernet cable. Attach  
your peripherals (for instance printers) to the computer. Now connect  
to the Internet and download your Windows patches from <http:// 
update.microsoft.com>.

If you are interested in learning how to save Windows patches so that  
they can be saved to a CD and shared between computers, I found a few  
articles online that go into more detail:

<http://www.uninets.net/~blaisdel/whistler6.htm#SaveUpdatesToCD>
<http://www.pcworld.com/article/id,126019-c,windowstips/article.html>
<http://www.tech-recipes.com/windows_tips87.html>
<http://windowsxp.mvps.org/saveupdates.htm>

If you still have questions, the IS & T Help Desk <computing- 
help at mit.edu> will be able to offer assistance.

Thank you for your feedback and for reading our security newsletter.

Monique

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security