The countdown is on to the start of the fall semester, but the software patches just keep rolling out.
Microsoft released 13 updates this patch Tuesday. Two of them are rated critical, and nine of them are rated important. 22 vulnerabilities in Windows, Internet Explorer, Office and other software are fixed with these updates. The Internet Explorer bugs are already being exploited in the wild.
http://www.microsoft.com/technet/security/bulletin/ms11-aug.mspx
Apple released iOS version 4.3.5 (and 4.2.10 for CDMA/Verizon) to address multiple critical bugs, including a serious SSL flaw, which would allow an attacker on an untrusted, open, or WEP network to intercept and decrypt traffic to SSL encrypted locations without your knowledge. If you have an iOS device that doesn’t support the latest versions, you are strongly urged to use VPN and/or avoid untrusted networks.
http://support.apple.com/kb/HT4824
http://support.apple.com/kb/HT4825
Apple released an update to QuickTime 7.7 for 10.5.8 and Windows that covers multiple critical vulnerabilities.
http://support.apple.com/kb/HT4826
Also updated by Apple, Safari versions 5.1 and 5.0.6 have been released to address multiple vulnerabilities.
http://support.apple.com/kb/HT4808
Google updated the Chrome browser to version 13.0.782.112 addressing multiple critical and medium vulnerabilities (including the latest Flash).
http://googlechromereleases.blogspot.com/2011/08/stable-channel-update.html
Adobe released security updates for Shockwave Player, Flash Media Server, Flash Player, Photoshop CS5, and RoboHelp. It is expected that the Flash issues will be exploited very soon if they are not already.
http://blogs.adobe.com/psirt/2011/08/adobe-product-security-updates-available-2.html
Flash version check: http://www.adobe.com/software/flash/about/
Be sure to make sure Adobe Reader is still up to date as well. A new security research report states that 56.46% of enterprise users running Adobe Reader have an outdated version.
You can get the latest version here:
A few of you have received security notices from ITS over the last month as we have stepped up our periodic scanning of UI networked devices. We have been sorting through these lists from the most critical vulnerabilities to the lesser ones, so just because you haven’t heard from us yet, it doesn’t necessarily mean you are secure. Remember that without logging into a machine, our Nessus scans really only detect the most critical remote exploits and won’t automatically detect weak passwords or misconfiguration, so when we do detect something critical we have to assume the worst.
We appreciate your vigilance and understanding in keeping things patched, appropriately configured, and responding to any notices in a timely fashion. APM 30.13 is a great starting place for staying secure. http://www.uidaho.edu/apm/30/13
Lastly, if you have access to our Network Management System (NMS), please keep your records up to date: remove old entries, put appropriate contacts and comments on the records, and use good DNS names. If we don’t know whom to contact, we are left with little choice but to disconnect the device if there is a security issue and wait for you to contact the Help Desk.
Lastly, don’t forget to check your browser regularly for up to date plugins using something like the Qualys Browsercheck: http://goo.gl/9eGLw
Have a great semester.
Please send us all comments and feedback!
Mitch Parks, GSEC/GCWN/GCFE
ITS Desktop Security Analyst
Zack Preston
ITS Desktop Security Assistant
Follow @UIITSecurity and @UIHelpDesk on Twitter for the latest articles and news.
