[IS&T Security-FYI] Security FYI Newsletter, July 23, 2015

Monique Buchanan myeaton at mit.edu
Thu Jul 23 09:53:30 EDT 2015 

In this issue:

1. Adobe Security Patches Released so Far in July 2015
2. Microsoft Security Updates for July 2015
3. Microsoft Ends Support for Windows Server 2003
4. Security SIG Talk: Slides are Available


---------------------------------------------------------------------------
1. Adobe Security Patches Released so Far in July 2015
---------------------------------------------------------------------------

Adobe has posted multiple security advisories<http://blogs.adobe.com/psirt/> and updates for its products this month:


  *   Adobe Flash Player: A Security Advisory (APSA15-03<https://helpx.adobe.com/security/products/flash-player/apsa15-03.html>) was posted earlier this month regarding a critical vulnerability in Adobe Flash Player, affecting Windows, Macintosh and Linux. Adobe did take quick steps to fix the software. The details of the updates were posted in APSA15-16<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>. A week later, another update was released via APSA15-18<https://helpx.adobe.com/security/products/flash-player/apsb15-18.html>. To make sure you have the latest update, go to the About Flash Player page<http://www.adobe.com/products/flash/about/>. If using Firefox, Flash may be disabled by default. If on Windows or Macintosh, you should be running version 18.0.0.209. If using Linux, you should be running version 11.2.202.491.
  *   Adobe Acrobat and Reader: Adobe Acrobat X and XI and Reader X and XI have security updates (APSA15-15<https://helpx.adobe.com/security/products/acrobat/apsb15-15.html>) for critical vulnerabilities. The latest version for Adobe and Reader XI is 11.0.12 and for Acrobat and Reader X is 10.1.15.
  *   Adobe Shockwave Player: A security update was released via a security bulletin (APSA15-17<https://helpx.adobe.com/security/products/shockwave/apsb15-17.html>) for a vulnerability in Shockwave Player version 12.1.8.158 and earlier. The latest version of the player is version 12.1.9.159, available via the Shockwave Player Download Center<https://get.adobe.com/shockwave/>.


In all cases, Adobe recommends users update their software to the latest versions. Read more about the Adobe Flash Player update in the news here<http://www.computerworld.com/article/2949536/security/latest-flash-player-version-offers-better-exploit-defenses.html>.

Several big Internet players are calling for the retirement of Adobe Flash. Read that story in the news here<http://arstechnica.com/security/2015/07/firefox-blacklists-flash-player-due-to-unpatched-0-day-vulnerabilities/>.


----------------------------------------------------------
2. Microsoft Security Updates for July 2015
----------------------------------------------------------

On Patch Tuesday last week, Microsoft released 14 security bulletins<https://technet.microsoft.com/en-us/library/security/dn903782.aspx> (MS15-058, and MS15-065 through MS15-077) to address vulnerabilities in Microsoft products. Four of these are rated critical.

Systems affected include Microsoft Windows, Office, Internet Explorer and SQL Server. Read the story in the news<http://www.networkworld.com/article/2948195/microsoft-subnet/july-2015-patch-tuesday-microsoft-closes-holes-being-exploited-in-the-wild.html> (This article also includes more on the Adobe Flash issues mentioned above).

One of the critical bulletins, MS15-067<https://technet.microsoft.com/en-us/library/security/ms15-067.aspx> included a patch to address a remote code execution vulnerability in Remote Desktop (RDP).

To exploit the vulnerability, an attacker could send a specially crafted sequence of packets to a system running the RDP server service. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RDP is heavily used throughout MIT and therefore IS&T recommends that patches are applied as soon as possible. If you have questions or need assistance, send email to the IS&T Help Desk<mailto:helpdesk at mit.edu> or call 617.253.1101. You can also submit a request online<http://ist.mit.edu/help>.

Microsoft also released an out-of-band patch<http://gizmodo.com/go-update-windows-right-now-1719187152> (MS15-078<https://technet.microsoft.com/library/security/MS15-078>) this past Monday for all supported versions of Windows. It fixes a security bug in the way Windows handles custom fonts. The updates is rated as critical.

Be sure to accept the updates as they occur, or go to the Windows Update site<http://windowsupdate.microsoft.com/>. You may need to restart your machine after installing patches.


---------------------------------------------------------------------
3. Microsoft Ends Support for Windows Server 2003
---------------------------------------------------------------------

Microsoft ended support of Windows Server 2003 on July 14, 2015. If you have machines still running Windows Server 2003, it is very important that you upgrade to Windows Server 2012 R2 and apply the latest patches from Microsoft to minimize security risks and comply with recent Massachusetts data regulations.

IS&T recommends that Windows users subscribe to the MIT Windows Automatic Update Service (MIT WAUS) to get the latest service packs and security patches. Visit the MIT WAUS article in the KB<http://kb.mit.edu/confluence/x/G4BeBQ> for detailed instructions on how to subscribe.

If you have questions or need assistance, send email to the IS&T Help Desk at helpdesk at mit.edu<mailto:helpdesk at mit.edu> or call 617.253.1101. You can also submit a request online<http://ist.mit.edu/help>.

Learn more from Microsoft about migrating from Windows Server 2003<http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/>.


-------------------------------------------------------
4. Security SIG Talk: Slides are Available
-------------------------------------------------------

Thank you to all who attended the Security SIG talk last week on Lessons Learned from the Top Healthcare Information Security Breaches<https://kb.mit.edu/confluence/display/istcontrib/Security+SIG+Luncheon+2015-07-15>. If you were not able to attend, or did attend but would like to review the information again, the slides are available here<https://wikis.mit.edu/confluence/display/ITSS/Security+SIG>. (MIT certificate required.)



=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================



Monique Buchanan
Social Communications Specialist
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu
tel: 617.253.2715






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20150723/ee099bd3/attachment.htm

More information about the ist-security-fyi mailing list