[IS&T Security-FYI] Newsletter, June 1, 2007

Fri Jun 1 16:55:03 EDT 2007

In this issue:

1. Fix for Windows Installer (MSI)
2. Mozilla Updates
3. Note to Students and Faculty

-----------------------------------------
1. Fix for Windows Installer (MSI)
-----------------------------------------

This information comes from Richard Edelson of the Network &  
Infrastructure Services team:

Microsoft has released two non-security updates to address some of  
the performance issues that have arisen recently with the Automatic  
Updates client in Windows. These updates have now been approved on  
MIT WAUS.

-- Update for Windows (KB927891):
<http://support.microsoft.com/kb/927891/en-us>

This is a reliability update. This update resolves an issue in the  
Windows Installer (MSI) that can affect performance during software  
updates. The system may appear to become unresponsive when Windows  
Update or Microsoft Update is scanning for updates that use Windows  
installer, and CPU usage for the svchost.exe process may reach 100%  
utilization.

-- Windows Server Update Services 2.0 SP1 Client Update (KB936301):
<http://support.microsoft.com/kb/936301>

This update resolves issues with client computers that are managed by  
Windows Server Update Services 2.0.

The updated client program includes the updates and the functionality  
that is included in the WSUS 3.0 Windows Update client program.  
Additionally, this update resolves the problems that are described in  
the following Microsoft Knowledge Base articles:

932494 (http://support.microsoft.com/kb/932494/) When you use  
Automatic Updates to scan for updates or to apply updates to  
applications that use Windows Installer, you experience issues that  
involve the Svchost.exe process.

936475 (http://support.microsoft.com/kb/936475/) After you install  
updates on a computer that is running Windows 2000 Service Pack 4  
(SP4), the computer may stop responding during the shutdown process.

-----------------------
2. Mozilla Updates
-----------------------

I. Overview

Mozilla has released new versions of Firefox, Thunderbird, and  
SeaMonkey to address several vulnerabilities. Further details about  
these vulnerabilities are available from Mozilla and the  
Vulnerability Notes Database. An attacker could exploit these  
vulnerabilities by convincing a user to view a specially-crafted HTML  
document, such as a web page or an HTML email message.

II. Systems Affected

* Mozilla Firefox
* Mozilla Thunderbird
* Mozilla SeaMonkey
* Netscape Browser

Support for Firefox 1.5 is scheduled to end in June 2007. According  
to Mozilla:

Firefox 1.5.0.x will be maintained with security and stability  
updates until June 2007. All users are strongly encouraged to upgrade  
to Firefox 2.

III. Impact

While the impacts of the individual vulnerabilities vary, the most  
severe could allow a remote, unauthenticated attacker to execute  
arbitrary code on a vulnerable system. An attacker may also be able  
to cause a denial of service.

IV. Solution

Upgrade

These vulnerabilities are addressed in Mozilla Firefox 2.0.0.4,  
Firefox 1.5.0.12, Thunderbird 2.0.0.4, Thunderbird 1.5.0.12,  
SeaMonkey 1.0.9, SeaMonkey 1.1.2. By default, Mozilla Firefox,  
Thunderbird, and SeaMonkey automatically check for updates.

Online information regarding this alert:
<http://www.us-cert.gov/cas/techalerts/TA07-151A.html>

----------------------------------------
3. Note to Students and Faculty
----------------------------------------

To all students graduating this year, congratulations and good luck!  
For those students and faculty who are taking off for the summer and  
returning this fall, don't forget to make backups of your files just  
in case something happens to your computer while it's being shipped  
home. You wouldn't want to lose all that work!

Thanks to all for staying aware of IT security issues,

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security