Security Bulletin – March 2012

Following the monthly announcement of the Microsoft Patch Tuesday updates, our Security team  have the following bulletin covering vulnerable versions of Java, the Microsoft Remote Desktop Protocol (RDP) issue and a reminder about Adobe product updates.

 

1) Java vulnerabilities:

All but the latest versions of Java released in February (Java 1.6.0_31 and 1.7.0_03) are vulnerable to “driveby” exploits via web pages that will silently install malware. Such “drivebys” are typically via malicious adverts on otherwise innocent webpages or by injected malicious Javascript in compromised websites (e.g. shakespearesglobe.com a couple of days ago).

As of yesterday, 15 March, the most prevalent exploit kit has been including an exploit of the latest vulnerabilities.

You can test your Java version by visiting http://www.java.com/en/download/installed.jsp, but if you don’t have Java installed already, then you probably shouldn’t install it.

IT Services has a Domain logon script that checks for installed Java and then updates it as required. We’ve been testing this in ITS for the last few weeks and are looking for some volunteer department OUs in the Active Directory. Please let Huw Wright <h.e.p.wright @ reading.ac.uk> know if you’d like to volunteer!

 

2) Remote Desktop vulnerabilities:

This week’s Microsoft Patch Tuesday releases included fixes for a serious vulnerability in Remote Desktop that could potentially be used in a network worm. There are no exploits in the wild yet, but security experts think this is only a matter of time.

ITS are expecting to release the patch in Windows Server Upate Services this lunchtime after testing.

Users with Remote Desktop enabled on their machines, and Terminal Servers really need to be patched in the next few days.

 

3) Adobe products:

It’s also important to keep Adobe Acrobat and Flash up-to-date; both have had security fixes in the last couple of weeks, but I’ve not seen exploits targeting the vulnerabilities yet (the bad guys are doing too well with Java).

If in doubt, the free Secunia Online Scanner at http://secunia.com/vulnerability_scanning/online/ (which ironically needs Java) will tell you about the most important vulnerabilities on a system.

 

Christopher Wakelin,

Tags: , , , ,

  1. itsnews’s avatar

    A Root Certificate Update pack has been added and approved with 5 day install deadline to all University of Reading WSUS-managed PCs which are running Windows XP, Vista & Windows7 – this is likely to cause most desktop systems to reboot by next Tuesday morning (20 March), as per standard monthly patching.

    For standalone or unmanaged systems:

    Visit the Microsoft Download site and search for “update root certificates”

    Unfortunately Microsoft do not categorise such as security updates and so they are not offered or installed on PCs which update directly from “Microsoft Update”

    A PC with an outdated store / expired root certificates may reject a valid certificate (https://… access) with an “untrusted site” warning.

    Reply