News - The University of Montana

In one 24 hour period this week, four major vendors (Sun, Adobe, Apple, and Skype) released security related patches for their products. According to Secunia:

“81.01% of all computers connected to the Internet needs to apply at least one security update to secure their computer, until updated, users risk falling victim of a hacker by simply: Visiting a website, opening a PDF file, viewing a movie, etc. – and this is just over a period of 24 hours”

In addition to those patches, a security related update was released today (2/8/08) for Firefox.

Most of these products are very good about auto updating themselves, but I urge you to double check and make sure these items are updated promptly.

One additional note. There seems to be considerable confusion over the Java update. I’ll try to make some sense out of this, and post the results next week.

Details on the patches:

1) Adobe Reader 8.x (PDF Files) (Secunia Advisory: SA28802)

2) Sun Java 1.5.x (Web content, games, etc.) (Secunia Advisory: SA28795)

3) Apple Quicktime (Movies, music, etc.) (Secunia Advisory: SA28423)

4) Skype (Chat and VOIP) (Secunia Advisory: SA28791)

4) Firefox (Firefox security advisory)

Note: I’ve cross posted this item from my new IT Security Blog to help get the word out (I’ll also send to tech partners), so if you’re interested, be sure and zip over to http://blog.umt.edu/itsecurity and subscribe.

On Tuesday (12/18/07), Adobe announced yet another vulnerability in its current version of Flash Player (see http://www.emcinsignia.com/download/MZ11A0075).

This is another in a disturbing series of exploits affecting several client technologies which for a long time were thought to be safe (Flash, PDF, and Quicktime).

Mac users take note; these vulnerabilities affect you too. Sorry, but the days of being able to snipe at your Windows colleagues about security issues are, sadly, long gone. (Before I get declared a Windows zealot and start up a Mac vs. Windows thread, let me just state that I spent the first 10 years of my IT career programming and supporting Macs. I love both platforms. That’s enough about that).

Note that unlike Adobe Reader and Quicktime, Flash Player does not have an auto-update feature; at least not one that works as most folks these days expect. It does have something called the “Flash Player Global Settings Manager” which is supposed to at least notify you of an update. I’ve never actually seen this work, but that’s probably because I update these things quickly. You see, the default notification window is 30 days (That’s great isn’t it). Honestly, this is one of the more bizarre ways I’ve seen of controlling notification of updates. Probably can’t blame Adobe for this, as I think it goes back to the Macromedia days, but they really should think about reworking this. There are also a number of other settings which you can change via this mechanism. So “how do I get to this brilliant gem of functionality” you ask. Well, the easiest way I know of (and I have NOT researched this much), is to go to the Adobe website. Here’s your link:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html

I recommend just hitting Adobe’s site and updating from the “Get Flash Player” button.

One more note. If there’s anyone out there like me, and you run both IE 7 and Firefox, you may have to perform the update twice (at least I did). I did a manual update in Firefox first, and when I checked the version in IE7, it was still using the old one, so I did a manual update from IE7 and then all was well.

One final tip. You can tell which version of Flash Player your browser is using by going to the Adobe site (www.adobe.com); right click (or control-click on the Mac) on the large animated graphic in the center and choose “About Flash Player”. The current patched version is 9,0,115,0