[IS&T Security-FYI] Newsletter, July 13, 2007

Monique Yeaton myeaton at MIT.EDU
Fri Jul 13 10:36:58 EDT 2007 

In this issue:

1. Microsoft's Patches for July 2007
2. Flash Player & QuickTime Updates
3. Postcard Spam Warning


---------------------------------------------
1. Microsoft's Patches for July 2007
---------------------------------------------

This past Tuesday, July 10, Microsoft released 6 security patches, 3  
of which are critical, for the following components:

- Windows 2000 and XP
- Windows Server 2003
- Windows XP Professional
- Windows Vista
- Excel
- Publisher
- .NET Framework

The patches have been approved for deployment via MIT WAUS.

If you have Automatic Updates enabled on your system, the updates are  
delivered to you when they are released, but you have to make sure  
you install them. We recommend that you take the updates unless you  
have specific information indicating that it is incompatible with an  
application you need to use. You will have to restart your computer  
after applying the patches.

Detailed descriptions of the 6 updates are in Microsoft Security  
Bulletins MS07-036 through MS07-041, available here:

<http://www.microsoft.com/technet/security/bulletin/ms07-Jul.mspx>

End users who wish to skip the details and go right to the download  
page can go here:

<http://www.microsoft.com/protect/computer/updates/bulletins/ 
200707.mspx>

------------------------------------------------
2. Flash Player & QuickTime Updates
------------------------------------------------

There are critical vulnerabilities in Adobe Flash player and related  
software. Exploitation of these vulnerabilities could allow a remote,  
unauthenticated attacker to execute arbitrary code or cause a denial  
of service on a vulnerable system.

Visit the Macromedia site to see if you have the latest player  
version installed: <http://www.macromedia.com/software/flash/about/>

More information about the update is also available here:
<http://www.adobe.com/support/security/bulletins/apsb07-12.html>

---

Apple QuickTime contains multiple vulnerabilities. Exploitation of  
these vulnerabilities could allow a remote attacker to execute  
arbitrary code or cause a denial-of-service condition.

Apple QuickTime 7.2 resolves multiple vulnerabilities in the way Java  
applets and various types of media files are handled. Note that  
QuickTime ships with Apple iTunes.

Solutions:
Upgrade to QuickTime 7.2. This and other updates for Mac OS X are  
available via Apple Update.

On Microsoft Windows, QuickTime users can install the update by using  
the built-in auto-update mechanism, Apple Software Update, or by  
installing the update manually.

Disabling QuickTime or Java in your web browser may defend against  
this attack. For more information, refer to the Securing Your Web  
Browser document.

Apple QuickTime 7.2 for Windows:
<http://www.apple.com/support/downloads/quicktime72forwindows.html>

Apple QuickTime 7.2 for Mac:
<http://www.apple.com/support/downloads/quicktime72formac.html>

CERT document on Securing Your Web Browser:
<http://www.us-cert.gov/reading_room/securing_browser/>


----------------------------------
3. Postcard Spam Warning
----------------------------------

We'd like to warn MIT computer users about a new wave of spam with  
the subject line "You've received a postcard from a family member!"  
Other variants of this spam email include the following subject  
lines, "BlueMountain.com greeting from a colleague," "July 4th B-B-Q  
Party," and "Independence Day Party."

These messages claim to be greetings from postcard services such as  
americangreetings.com, bluemountain.com and 2000greetings.com, among  
others.

Malicious website links are embedded in the email and appear to  
employ multiple methods to exploit a web browser in order to  
compromise a computer system.

If you haven't gotten one of these emails in your inbox, just give it  
time. There have been enough variants that they can get through spam  
filters. We remind users to be careful opening email and email  
attachments.

To learn more about spam filtering see:
<http://mit.edu/ist/services/email/nospam/>


Monique
=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list