Following the monthly announcement of the Microsoft Patch Tuesday updates, our Security team have the following bulletin covering vulnerable versions of Java, the Microsoft Remote Desktop Protocol (RDP) issue and a reminder about Adobe product updates.
1) Java vulnerabilities:
As of yesterday, 15 March, the most prevalent exploit kit has been including an exploit of the latest vulnerabilities.
You can test your Java version by visiting http://www.java.com/en/download/installed.jsp, but if you don’t have Java installed already, then you probably shouldn’t install it.
IT Services has a Domain logon script that checks for installed Java and then updates it as required. We’ve been testing this in ITS for the last few weeks and are looking for some volunteer department OUs in the Active Directory. Please let Huw Wright <h.e.p.wright @ reading.ac.uk> know if you’d like to volunteer!
2) Remote Desktop vulnerabilities:
This week’s Microsoft Patch Tuesday releases included fixes for a serious vulnerability in Remote Desktop that could potentially be used in a network worm. There are no exploits in the wild yet, but security experts think this is only a matter of time.
ITS are expecting to release the patch in Windows Server Upate Services this lunchtime after testing.
Users with Remote Desktop enabled on their machines, and Terminal Servers really need to be patched in the next few days.
3) Adobe products:
It’s also important to keep Adobe Acrobat and Flash up-to-date; both have had security fixes in the last couple of weeks, but I’ve not seen exploits targeting the vulnerabilities yet (the bad guys are doing too well with Java).
If in doubt, the free Secunia Online Scanner at http://secunia.com/vulnerability_scanning/online/ (which ironically needs Java) will tell you about the most important vulnerabilities on a system.