[3467] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, January 14, 2013
daemon@ATHENA.MIT.EDU (Monique Yeaton)
Mon Jan 14 15:35:59 2013
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Yeaton <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Mon, 14 Jan 2013 20:34:41 +0000
Message-ID: <3ACED3B2A8CEFB4598A845F07FD4A05F10E1D57F@OC11EXPO24.exchange.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0005137642=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============0005137642==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_3ACED3B2A8CEFB4598A845F07FD4A05F10E1D57FOC11EXPO24excha_"
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F10E1D57FOC11EXPO24excha_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. About Java and its Risks
2. Microsoft Releases Out-of-Band Security Bulletin
------------------------------------
1. About Java and its Risks
------------------------------------
Last week a vulnerability in Oracle's Java 7 Update 10<http://www.computerw=
orld.com/s/article/9235550/Attackers_are_now_exploiting_a_Java_zero_day_vul=
nerability> and earlier was detected. Apple subsequently addressed the issu=
e through the anti-malware system built into OS X, disabling Java 7 plug-in=
s on Macs where it is already installed.
Oracle has now released Java 7 Update 11 to address the vulnerability. User=
s of Java can access the free update here<http://www.java.com/en/download/i=
ndex.jsp>.
What is Java and its risks?
This Java issue brings up possible questions in people's minds. What is Jav=
a and why do I need it?<http://www.java.com/en/download/whatis_java.jsp> Ja=
va is a programming language and computing platform first released by Sun M=
icrosystems in 1995. It is the underlying technology that powers programs i=
ncluding utilities, games, and business applications. To learn more about J=
ava and to answer some of these questions, see the Oracle website<http://ww=
w.java.com/en/download/help/index.xml> or the PDF of this month's issue of =
OUCH! from SANS.org<http://www.securingthehuman.org/newsletters/ouch/issues=
/OUCH-201301_en.pdf>, dedicated entirely to Java.
Java has become a popular target for cyber criminals and they will use weak=
nesses in Java to attack computers that have it installed.
What do I do now?
You may have a plug-in for Java running in your browser. This was my experi=
ence with Java:
Within my Firefox browser I had a plug-in installed for Java Applet 14.5.0.=
I clicked the option "Check to see if your plug-ins are up to date" and wa=
s told by Mozilla that my Java Applet Plug-in is outdated. Clicking "Update=
" linked me to Oracle where the latest update is available. Instructions fo=
llowed for how to update Java on my Mac. After I ran the installation, the =
plug-in in Firefox changed from Applet 14.5.0 to Java 7 Update 11.
Note that experiences will vary depending on the browser you have installed=
(Safari, Firefox, and Chrome address plug-ins differently from one another=
) and its version.
If you are unsure about whether you need to update Java, you can use this l=
ink<http://www.java.com/en/download/testjava.jsp>. If no message appears ab=
out the status of Java on your system, you can do what I did and see if you=
have a plug-in for Java in your browser<http://www.java.com/en/download/he=
lp/enable_browser.xml> (these will reside in what might be called "add-ons"=
). Then follow the steps above to update it. If you don't have Java install=
ed on your system, you can access it from Oracle here<http://www.java.com/e=
n/download/index.jsp>.
If you can do without Java, don't install it or go ahead and disable Java. =
If you can't do without it, the best thing to do is to make sure it is curr=
ent. Windows users can do this by checking the Java icon in the Control Pan=
el and confirming it is the latest version and is set for automatic updatin=
g. Mac users will need to update their version of Java themselves by going =
to the Oracle website<http://www.java.com/en/download/help/index_installing=
.xml?user_os=3DMacintosh%20OS%20X&user_jre=3D7.0>.
--------------------------------------------------------------------
2. Microsoft Releases Out-of-Band Security Bulletin
--------------------------------------------------------------------
Today (January 14) Microsoft is releasing an out-of-band security bulletin<=
http://technet.microsoft.com/en-us/security/bulletin/ms13-jan> to address v=
ulnerabilities in the following systems:
* Internet Explorer 6, 7 and 8 on Windows XP, Vista and Windows 7 as we=
ll as on Windows Server 2003, 2008 and 2008 R2.
Internet Explorer 9 on Windows 8 systems are not affected.
The vulnerability could allow remote code execution if a user views a speci=
ally crafted webpage using Internet Explorer.
Security updates are available from the Windows Update tool, the Windows Se=
rver Update Services or the Download Center. MIT WAUS subscribers will rece=
ive updates as they are tested and released.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Read all Security FYI Newsletter articles and submit comments online at htt=
p://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F10E1D57FOC11EXPO24excha_
Content-Type: text/html; charset="us-ascii"
Content-ID: <A596FD0ED42F2943B641166A73504D23@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Garamond, sans-serif; ">
<div>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; ">In thi=
s issue:</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">1. About Java and its Ri=
sks</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">2. Microsoft Releases Ou=
t-of-Band Security Bulletin</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">1. About Java and its Ri=
sks</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Last week a <a href=3D"h=
ttp://www.computerworld.com/s/article/9235550/Attackers_are_now_exploiting_=
a_Java_zero_day_vulnerability">
vulnerability in Oracle's Java 7 Update 10</a> and earlier was detected. Ap=
ple subsequently addressed the issue through the anti-malware system built =
into OS X, disabling Java 7 plug-ins on Macs where it is already installed.=
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Oracle has now released =
Java 7 Update 11 to address the vulnerability. Users of Java can access the=
free update
<a href=3D"http://www.java.com/en/download/index.jsp">here</a>.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; "><b>What is Java and its =
risks?</b></p>
<p style=3D"margin: 0px; font-family: Helvetica; ">This Java issue brings u=
p possible questions in people's minds.
<a href=3D"http://www.java.com/en/download/whatis_java.jsp">What is Java an=
d why do I need it?</a> Java is a programming language and computing platfo=
rm first released by Sun Microsystems in 1995. It is the underlying technol=
ogy that powers programs including
utilities, games, and business applications. To learn more about Java and =
to answer some of these questions,
<a href=3D"http://www.java.com/en/download/help/index.xml">see the Oracle w=
ebsite</a> or the PDF of
<a href=3D"http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201=
301_en.pdf">
this month's issue of OUCH! from SANS.org</a>, dedicated entirely to Java.<=
/p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Java has become a popula=
r target for cyber criminals and they will use weaknesses in Java to attack=
computers that have it installed.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; "><b>What do I do now?</b>=
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">You may have a plug-in f=
or Java running in your browser. This was my experience with Java: </p=
>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Within my Firefox browse=
r I had a plug-in installed for Java Applet 14.5.0. I clicked the option &q=
uot;Check to see if your plug-ins are up to date" and was told by Mozi=
lla that my Java Applet Plug-in is outdated.
Clicking "Update" linked me to Oracle where the latest update is=
available. Instructions followed for how to update Java on my Mac. After I=
ran the installation, the plug-in in Firefox changed from Applet 14.5.0 to=
Java 7 Update 11.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Note that experiences wi=
ll vary depending on the browser you have installed (Safari, Firefox, and C=
hrome address plug-ins differently from one another) and its version.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">If you are unsure about =
whether you need to update Java, you can
<a href=3D"http://www.java.com/en/download/testjava.jsp">use this link</a>.=
If no message appears about the status of Java on your system, you can do =
what I did and see if you have a plug-in for
<a href=3D"http://www.java.com/en/download/help/enable_browser.xml">Java in=
your browser</a> (these will reside in what might be called "add-ons&=
quot;). Then follow the steps above to update it. If you don't have Java in=
stalled on your system, you can access it from
Oracle <a href=3D"http://www.java.com/en/download/index.jsp">here</a>.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">If you can do without Ja=
va, don't install it or go ahead and disable Java. If you can't do without =
it, the best thing to do is to make sure it is current. Windows users can d=
o this by checking the Java icon in
the Control Panel and confirming it is the latest version and is set for a=
utomatic updating. Mac users will need to update their version of Java them=
selves by going to the
<a href=3D"http://www.java.com/en/download/help/index_installing.xml?user_o=
s=3DMacintosh%20OS%20X&user_jre=3D7.0">
Oracle website</a>.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
--------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">2. Microsoft Releases Ou=
t-of-Band Security Bulletin</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">------------------------=
--------------------------------------------</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Today (January 14) Micro=
soft is releasing an
<a href=3D"http://technet.microsoft.com/en-us/security/bulletin/ms13-jan">o=
ut-of-band security bulletin</a> to address vulnerabilities in the followin=
g systems:</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<ul>
<li style=3D"margin: 0px; font-family: Helvetica; ">Internet Explorer 6, 7 =
and 8 on Windows XP, Vista and Windows 7 as well as on Windows Server 2003,=
2008 and 2008 R2.
</li></ul>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Internet Explorer 9 on W=
indows 8 systems are
<span style=3D"text-decoration: underline">not</span> affected.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">The vulnerability could =
allow remote code execution if a user views a specially crafted webpage usi=
ng Internet Explorer.</p>
<p style=3D"margin: 0px; font-family: Helvetica; min-height: 17px; "><br>
</p>
<p style=3D"margin: 0px; font-family: Helvetica; ">Security updates are ava=
ilable from the Windows Update tool, the Windows Server Update Services or =
the Download Center. MIT WAUS subscribers will receive updates as they are =
tested and released.</p>
</div>
<div><br>
</div>
<div><span class=3D"Apple-style-span" style=3D"border-collapse: separate; f=
ont-family: Calibri; font-size: medium; border-spacing: 0px; "><span class=
=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacing: 0=
px; font-family: Helvetica; font-size: 14px; ">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; border=
-spacing: 0px; "><span class=3D"Apple-style-span" style=3D"border-collapse:=
separate; border-spacing: 0px; "><span class=3D"Apple-style-span" style=3D=
"border-collapse: separate; border-spacing: 0px; "><span class=3D"Apple-sty=
le-span" style=3D"border-collapse: separate; border-spacing: 0px; "><span c=
lass=3D"Apple-style-span" style=3D"border-collapse: separate; border-spacin=
g: 0px; "><span class=3D"Apple-style-span" style=3D"border-collapse: separa=
te; border-spacing: 0px; font-size: 12px; ">
<div>
<p style=3D"margin: 0px; font-size: 14px; font-family: Arial; ">=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</p>
<p style=3D"margin: 0px; font-size: 14px; font-family: Arial; ">Read all Se=
curity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/">http://securityfyi.wordpress.=
com/</a>.</p>
<p style=3D"margin: 0px; font-size: 14px; font-family: Arial; ">=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</p>
<p style=3D"margin: 0px; font-size: 14px; font-family: Arial; "><br>
</p>
<p style=3D"margin: 0px; font-size: 14px; font-family: Arial; "><br>
</p>
</div>
<div>Monique Yeaton</div>
<div>IT Security Communications Consultant</div>
<div>MIT Information Services & Technology (IS&T)</div>
<div>(617) 253-2715</div>
<div>http://ist.mit.edu/security</div>
<div><br class=3D"khtml-block-placeholder">
</div>
<br class=3D"Apple-interchange-newline">
</span></span></span></span></span></span></div>
</span></span></div>
</body>
</html>
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F10E1D57FOC11EXPO24excha_--
--===============0005137642==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0005137642==--
