[339] in Security FYI
[IS&T Security-FYI] Patch Tuesday and other Updates
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Fri Jan 12 16:03:45 2007
Mime-Version: 1.0 (Apple Message framework v752.3)
To: ist-security-fyi@MIT.EDU
Message-Id: <E41F1944-ED5D-4C73-8040-FB7BA94DFB79@mit.edu>
From: Monique Yeaton <myeaton@MIT.EDU>
Date: Fri, 12 Jan 2007 16:01:06 -0500
Content-Type: multipart/mixed; boundary="===============0970531539=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============0970531539==
Content-Type: multipart/alternative; boundary=Apple-Mail-1--797578494
--Apple-Mail-1--797578494
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
It is once again a week of released Microsoft updates. Here is our
summary on these latest as well as other vulnerabilities not related
to Microsoft and announced by CERT (www.cert.org) which you will want
to be aware of.
-----------------------
Microsoft Patches
-----------------------
On Jan. 9, Patch Tuesday, Microsoft released updates for the following:
- Windows
- Internet Explorer
- Outlook
- Excel for Windows and Mac OS X
Descriptions of the vulnerabilities are available in Microsoft
Security Bulletins MS07-001 through MS07-004. Three of these are
listed as critical and one as important.
A summary of the January 2007 bulletins can be found here:
<http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx>
We recommend that users take the upgrades unless you have specific
information indicating that it is incompatible with an application
you need to use.
These patches are now approved for deployment via MIT WAUS.
<http://web.mit.edu/ist/topics/windows/updates/>
To download all of the updates manually:
Visit Windows Update <http://go.microsoft.com/?LinkID=275655> and
click "Scan for updates."
Visit the Protect your PC site <http://www.microsoft.com/athome/
security/default.mspx> to learn how to have the latest security
updates delivered directly to your computer.
The very best first line of defense against vulnerabilities is to
take Microsoft patches automatically whenever feasible. We want to
thank everyone who already uses Microsoft's Automatic Update Service
or MIT's local Windows Automatic Update Service.
-------------------
Microsoft Word
-------------------
As a follow up to the Word vulnerabilities reported in December 2006,
Microsoft has not addressed this issue in the January release.
Microsoft is closely monitoring this issue and concludes that the
vulnerability is subject to very limited and targeted attacks. In
order for an attack to be carried out, a user must first open a
malicious Word file attached to an e-mail or otherwise provided to
them by an attacker. They strongly recommend users always exercise
extreme caution when opening unsolicited attachments from known and
unknown sources.
---------------------
Apple QuickTime
---------------------
A vulnerability exists in the way Apple QuickTime handles specially
crafted Real Time Streaming Protocol (RTSP) URL strings. This means
that malicious code could exist on web pages that use a QuickTime
plug-in or ActiveX control, a page that uses "rtsp://" protocol or in
a file that is associated with the QuickTime Player. The
vulnerability is not dependent on the web browser being used. Note
that Apple iTunes and other software using QuickTime may also be
affected.
Systems affected:
- Microsoft Windows platforms
- Apple Mac platforms
There is currently no solution available for this problem. We
recommend you do not access QuickTime (video) files from untrusted
sources.
In order to convince users to visit their sites, attackers often use
a variety of techniques to create misleading links including URL
encoding, IP address variations, long URLs, and intentional
misspellings. Do not click on unsolicited links received in email,
instant messages, web forums, or internet relay chat (IRC) channels.
Type URLs directly into the browser to avoid these misleading links.
While these are generally good security practices, following these
behaviors will not prevent exploitation of this vulnerability in all
cases, particularly if a trusted site has been compromised or allows
cross-site scripting.
More on cross-site scripting can be found here: <http://
en.wikipedia.org/wiki/Cross_site_scripting>
We will track this QuickTime vulnerability and provide follow up
information when a patch has been made available.
------------------------------------------------------------
Adobe Acrobat Plug-in Version 7.0.8 and earlier
------------------------------------------------------------
Several vulnerabilities exist in the Adobe Acrobat Plug-in. The Plug-
in allows users to view PDF files inside of a web browser. A
malicious file must be loaded in Adobe Reader by the end user for an
attacker to exploit these vulnerabilities and take control of the
affected system.
We recommend you upgrade to Adobe Reader 7.0.9. If you have a version
earlier than 7.0.8 you may need to install the incremental patch (see
http://www.adobe.com).
The IS&T department at MIT has made the 7.0.9 Adobe Reader version
available on their downloads page. To view and download the latest
supported software visit <http://web.mit.edu/software/mac.html> for
Mac users, and <http://web.mit.edu/software/win.html> for Windows users.
-----------
If you have any questions regarding any of these issues, please
contact security@mit.edu. I want to thank you for staying aware of IT
Security issues. Let's make 2007 a safe computing year!
Sincerely,
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
N42-040, tel: (617) 253-2715
--Apple-Mail-1--797578494
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1
<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>It is once again a week of =
released Microsoft updates. Here is our summary on these latest as well =
as other vulnerabilities not related to Microsoft and announced by CERT =
(<A href=3D"http://www.cert.org">www.cert.org</A>) which you will want =
to be aware of.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>-----------------------</DIV>=
<DIV>Microsoft Patches</DIV><DIV>-----------------------</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>On Jan. 9, Patch Tuesday, =
Microsoft released updates for the following:</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>- Windows</DIV><DIV>- =
Internet Explorer</DIV><DIV>- Outlook</DIV><DIV>- Excel for Windows and =
Mac OS X</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Descriptions of the =
vulnerabilities are available in Microsoft Security Bulletins MS07-001 =
through MS07-004. Three of these are listed as critical and one as =
important.</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>A =
summary of the January 2007 bulletins can be found =
here:</DIV><DIV><<A =
href=3D"http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx">=
http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx</A>></=
DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>We recommend =
that users take the upgrades unless you have specific information =
indicating that it is incompatible with an application you need to =
use.</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>These =
patches are now approved for deployment via MIT WAUS.</DIV><DIV><<A =
href=3D"http://web.mit.edu/ist/topics/windows/updates/">http://web.mit.edu=
/ist/topics/windows/updates/</A>></DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>To download all of the =
updates manually:</DIV><DIV>Visit Windows Update <<A =
href=3D"http://go.microsoft.com/?LinkID=3D275655">http://go.microsoft.com/=
?LinkID=3D275655</A>> and click "Scan for updates."</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Visit the Protect your PC =
site <<A =
href=3D"http://www.microsoft.com/athome/security/default.mspx">http://www.=
microsoft.com/athome/security/default.mspx</A>> to learn how to have =
the latest security updates delivered directly to your =
computer.</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>The =
very best first line of defense against vulnerabilities is to take =
Microsoft patches automatically whenever feasible. We want to thank =
everyone who already uses Microsoft's Automatic Update Service or MIT's =
local Windows Automatic Update Service.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>-------------------</DIV><DIV=
>Microsoft Word</DIV><DIV>-------------------</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>As a follow up to the Word =
vulnerabilities reported in December 2006, Microsoft has not addressed =
this issue in the January release. Microsoft is closely monitoring this =
issue and concludes that the vulnerability is subject to very limited =
and targeted attacks. In order for an attack to be carried out, a user =
must first open a malicious Word file attached to an e-mail or otherwise =
provided to them by an attacker. They strongly recommend users always =
exercise extreme caution when opening unsolicited attachments from known =
and unknown sources.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>---------------------</DIV><D=
IV>Apple QuickTime </DIV><DIV>---------------------</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>A vulnerability exists in =
the way Apple QuickTime handles specially crafted Real Time Streaming =
Protocol (RTSP) URL strings. This means that malicious code could exist =
on web pages that use a QuickTime plug-in or ActiveX control, a page =
that uses "rtsp://" protocol or in a file that is associated with the =
QuickTime Player. The vulnerability is not dependent on the web browser =
being used. Note that Apple iTunes and other software using QuickTime =
may also be affected. </DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Systems =
affected:</DIV><DIV>- Microsoft Windows platforms</DIV><DIV>- Apple Mac =
platforms</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>There=
is currently no solution available for this problem. We recommend you =
do not access QuickTime (video) files from untrusted sources. =
</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>In order to =
convince users to visit their sites, attackers often use a variety of =
techniques to create misleading links including URL encoding, IP address =
variations, long URLs, and intentional misspellings. Do not click on =
unsolicited links received in email, instant messages, web forums, or =
internet relay chat (IRC) channels. Type URLs directly into the browser =
to avoid these misleading links. While these are generally good security =
practices, following these behaviors will not prevent exploitation of =
this vulnerability in all cases, particularly if a trusted site has been =
compromised or allows cross-site scripting.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>More on cross-site =
scripting can be found here: <<FONT class=3D"Apple-style-span" =
size=3D"3"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
12px;"><A =
href=3D"http://en.wikipedia.org/wiki/Cross_site_scripting">http://en.wikip=
edia.org/wiki/Cross_site_scripting</A>></SPAN></FONT></DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>We will track this =
QuickTime vulnerability and provide follow up information when a patch =
has been made available.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>-----------------------------=
-------------------------------</DIV><DIV>Adobe Acrobat Plug-in Version =
7.0.8 and =
earlier</DIV><DIV>--------------------------------------------------------=
----</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>Several =
vulnerabilities exist in the Adobe Acrobat Plug-in. The Plug-in allows =
users to view PDF files inside of a web browser. A malicious file must =
be loaded in Adobe Reader by the end user for an attacker to exploit =
these vulnerabilities and take control of the affected =
system.</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>We =
recommend you upgrade to Adobe Reader 7.0.9. If you have a version =
earlier than 7.0.8 you may need to install the incremental patch (see <A =
href=3D"http://www.adobe.com">http://www.adobe.com</A>).</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>The IS&T department at =
MIT has made the 7.0.9 Adobe Reader version available on their downloads =
page. To view and download the latest supported software visit <<A =
href=3D"http://web.mit.edu/software/mac.html">http://web.mit.edu/software/=
mac.html</A>> for Mac users, and <<A =
href=3D"http://web.mit.edu/software/win.html">http://web.mit.edu/software/=
win.html</A>> for Windows users.=A0</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>-----------</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>If you have any questions =
regarding any of these issues, please contact <A =
href=3D"mailto:security@mit.edu">security@mit.edu</A>. I want to thank =
you for staying aware of IT Security issues. Let's make 2007 a safe =
computing year!</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Sincerely,</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><BR><DIV> <SPAN =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><SPAN =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 12px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><DIV>Monique =
Yeaton</DIV><DIV>IT Security Awareness Consultant</DIV><DIV>MIT =
Information Services & Technology (IS&T)</DIV><DIV>N42-040, tel: =
(617) 253-2715</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><BR =
class=3D"Apple-interchange-newline"></SPAN></SPAN> =
</DIV><BR></BODY></HTML>=
--Apple-Mail-1--797578494--
--===============0970531539==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0970531539==--
