[IS&T Security-FYI] Patch Tuesday and other Updates

Monique Yeaton myeaton at MIT.EDU
Fri Jan 12 16:01:06 EST 2007 

It is once again a week of released Microsoft updates. Here is our  
summary on these latest as well as other vulnerabilities not related  
to Microsoft and announced by CERT (www.cert.org) which you will want  
to be aware of.

-----------------------
Microsoft Patches
-----------------------

On Jan. 9, Patch Tuesday, Microsoft released updates for the following:

- Windows
- Internet Explorer
- Outlook
- Excel for Windows and Mac OS X

Descriptions of the vulnerabilities are available in Microsoft  
Security Bulletins MS07-001 through MS07-004. Three of these are  
listed as critical and one as important.

A summary of the January 2007 bulletins can be found here:
<http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx>

We recommend that users take the upgrades unless you have specific  
information indicating that it is incompatible with an application  
you need to use.

These patches are now approved for deployment via MIT WAUS.
<http://web.mit.edu/ist/topics/windows/updates/>

To download all of the updates manually:
Visit Windows Update <http://go.microsoft.com/?LinkID=275655> and  
click "Scan for updates."

Visit the Protect your PC site <http://www.microsoft.com/athome/ 
security/default.mspx> to learn how to have the latest security  
updates delivered directly to your computer.

The very best first line of defense against vulnerabilities is to  
take Microsoft patches automatically whenever feasible. We want to  
thank everyone who already uses Microsoft's Automatic Update Service  
or MIT's local Windows Automatic Update Service.


-------------------
Microsoft Word
-------------------

As a follow up to the Word vulnerabilities reported in December 2006,  
Microsoft has not addressed this issue in the January release.  
Microsoft is closely monitoring this issue and concludes that the  
vulnerability is subject to very limited and targeted attacks. In  
order for an attack to be carried out, a user must first open a  
malicious Word file attached to an e-mail or otherwise provided to  
them by an attacker. They strongly recommend users always exercise  
extreme caution when opening unsolicited attachments from known and  
unknown sources.


---------------------
Apple QuickTime
---------------------

A vulnerability exists in the way Apple QuickTime handles specially  
crafted Real Time Streaming Protocol (RTSP) URL strings. This means  
that malicious code could exist on web pages that use a QuickTime  
plug-in or ActiveX control, a page that uses "rtsp://" protocol or in  
a file that is associated with the QuickTime Player. The  
vulnerability is not dependent on the web browser being used. Note  
that Apple iTunes and other software using QuickTime may also be  
affected.

Systems affected:
- Microsoft Windows platforms
- Apple Mac platforms

There is currently no solution available for this problem. We  
recommend you do not access QuickTime (video) files from untrusted  
sources.

In order to convince users to visit their sites, attackers often use  
a variety of techniques to create misleading links including URL  
encoding, IP address variations, long URLs, and intentional  
misspellings. Do not click on unsolicited links received in email,  
instant messages, web forums, or internet relay chat (IRC) channels.  
Type URLs directly into the browser to avoid these misleading links.  
While these are generally good security practices, following these  
behaviors will not prevent exploitation of this vulnerability in all  
cases, particularly if a trusted site has been compromised or allows  
cross-site scripting.

More on cross-site scripting can be found here: <http:// 
en.wikipedia.org/wiki/Cross_site_scripting>

We will track this QuickTime vulnerability and provide follow up  
information when a patch has been made available.


------------------------------------------------------------
Adobe Acrobat Plug-in Version 7.0.8 and earlier
------------------------------------------------------------

Several vulnerabilities exist in the Adobe Acrobat Plug-in. The Plug- 
in allows users to view PDF files inside of a web browser. A  
malicious file must be loaded in Adobe Reader by the end user for an  
attacker to exploit these vulnerabilities and take control of the  
affected system.

We recommend you upgrade to Adobe Reader 7.0.9. If you have a version  
earlier than 7.0.8 you may need to install the incremental patch (see  
http://www.adobe.com).

The IS&T department at MIT has made the 7.0.9 Adobe Reader version  
available on their downloads page. To view and download the latest  
supported software visit <http://web.mit.edu/software/mac.html> for  
Mac users, and <http://web.mit.edu/software/win.html> for Windows users.

-----------

If you have any questions regarding any of these issues, please  
contact security at mit.edu. I want to thank you for staying aware of IT  
Security issues. Let's make 2007 a safe computing year!

Sincerely,



Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
N42-040, tel: (617) 253-2715



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20070112/3d3550f1/attachment.htm

More information about the ist-security-fyi mailing list