News - The University of Montana

Welcome to UM Blogosphere. This is your first post. Edit or delete it, then start blogging!

Are you suddenly getting large numbers of bounce messages in your inbox from messages you didn’t send?  If so, then you are most likely the victim of e-mail spoofing, and the unwanted side effect that comes with it, known as “backscatter”.

This problem has been around for years, but a number of higher education institutions have reported a significant increase in this activity in the last month, and UM has not escaped.

IT Central has published a support page with more details, check it out here.

Fresh on the heels of last month’s update, Sun has released Java 6 Update 5.  Unlike last month’s update, this one does appear to get downloaded correctly if you use the automatic updater (at least it did for me).  For Windows users, simply go to the Java Control Panel, click the Update tab, and let it do its thing.

You can also get a manual download at http://java.sun.com/javase/downloads/index.jsp
(for most folks, you’ll need the JRE Update)

Specifics on the exploits can be found here: http://www.us-cert.gov/current/index.html#sun_java_se_updates

In my blog entry last Friday, I mentioned some confusion over the Java update. This centers around three points, 1) Sun’s version nomenclature, 2) Conflicting info from Sun on what is the current version, and 3) Whether you need to uninstall your current JRE before installing the newer version.

The first item isn’t too difficult, and is more annoying than anything else, but I still wish Sun would just make up its mind and use one consistent versioning system. Basically, you’ll see the same version called two different things, depending on where you’re at. Version 1.6.0_04 is also referred to as Java Version 6,Update 4, etc.

Item number 2 is a little more annoying. If you go to www.java.com, it will tell you that the “recommended” version is Version 6 Update 3; however, go to java.sun.com, and you’ll be offered Version 6 Update 4, which is the update that contains the latest round of security patches. Also, if you are relying on the “auto update” feature of the Java control panel, it will tell you that you are currently up to date, even if you only have Update 3. Finally, Sun still supports Version 5 (or 1.5.x) and is still releasing security patches for it as well. If for some reason you have to run 5 instead of 6, the current version for it is Version 5 Update 14.

My recommendation: go to http://java.sun.com/javase/downloads and manually download JRE 6 Update 4, and install it yourself.

The third item is by far the most complicated, and I haven’t been able to find an authoritative answer. The original problem is that installing new versions of the JRE would still leave the old versions in place and callable. Sun did this for compatibility reasons. However, the downside was that if there was a serious security hole, simply installing the new version did not prevent you from being exploited. At some point along the way, Sun realized the error of their ways, and addressed this. BUT, the way they did it was NOT to remove the old version, but to make the older versions uncallable (One has to wonder why they did it that way, but I’m sure they have their reasons). This has obviously led to a lot of conflicting opinions about whether one should completely uninstall the existing JRE before installing the new version, and some folks still claim that despite what Sun says, these older versions are still exploitable (however those are all just opinions, I didn’t see anyone offering proofs). I’ve personally decided that I’m OK with just installing the new version, but if you want to be absolutely sure, you can always do the uninstall, but you’ll have to do it manually, and the scope of that is beyond this blog. However, google “uninstall Sun Java” and you’ll find lots of opinions on the best way to do this.

In one 24 hour period this week, four major vendors (Sun, Adobe, Apple, and Skype) released security related patches for their products.  According to Secunia:

“81.01% of all computers connected to the Internet needs to apply at least one security update to secure their computer, until updated, users risk falling victim of a hacker by simply: Visiting a website, opening a PDF file, viewing a movie, etc. – and this is just over a period of 24 hours”

In addition to those patches, a security related update was released today (2/8/08) for Firefox. 

Most of these products are very good about auto updating themselves, but I urge you to double check and make sure these items are updated promptly.

One additional note.  There seems to be considerable confusion over the Java update.  I’ll try to make some sense out of this, and post the results next week.

Details on the patches:

1) Adobe Reader 8.x (PDF Files) (Secunia Advisory: SA28802)

2) Sun Java 1.5.x (Web content, games, etc.) (Secunia Advisory: SA28795)

3) Apple Quicktime (Movies, music, etc.) (Secunia Advisory: SA28423)

4) Skype (Chat and VOIP) (Secunia Advisory: SA28791)

4) Firefox (Firefox security advisory)

Yesterday (2/4/08) US-CERT released information about a serious issue with an ActiveX control which is used by Facebook and Myspace. Most troubling are the statements:

“Exploit code is publicly available.”

And

“We are currently unaware of a practical solution to this problem.”

If you’ve ever uploaded an image to Facebook or MySpace using Internet Explorer for Windows (yes Mac users, you’re in the clear on this one), then you most likely have a copy of this control sitting around on your machine. Keep in mind that once a control like this is installed on your machine, ANY web page can call it, not just the one that installed it.

My suggestion is to use FireFox (which does not support ActiveX). You can also try disabling ActiveX in IE as detailed in CERT’s Securing Your Web Browser article.

For the full details on this issue, check out the CERT Advisory:

http://www.kb.cert.org/vuls/id/776931

On Tuesday (12/18/07), Adobe announced yet another vulnerability in its current version of Flash Player (see http://www.adobe.com/support/security/bulletins/apsb07-20.html).

This is another in a disturbing series of exploits affecting several client technologies which for a long time were thought to be safe (Flash, PDF, and Quicktime).

Mac users take note; these vulnerabilities affect you too. Sorry, but the days of being able to snipe at your Windows colleagues about security issues are, sadly, long gone. (Before I get declared a Windows zealot and start up a Mac vs. Windows thread, let me just state that I spent the first 10 years of my IT career programming and supporting Macs. I love both platforms. That’s enough about that).

Note that unlike Adobe Reader and Quicktime, Flash Player does not have an auto-update feature; at least not one that works as most folks these days expect. It does have something called the “Flash Player Global Settings Manager” which is supposed to at least notify you of an update. I’ve never actually seen this work, but that’s probably because I update these things quickly. You see, the default notification window is 30 days (That’s great isn’t it). Honestly, this is one of the more bizarre ways I’ve seen of controlling notification of updates. Probably can’t blame Adobe for this, as I think it goes back to the Macromedia days, but they really should think about reworking this. There are also a number of other settings which you can change via this mechanism. So “how do I get to this brilliant gem of functionality” you ask. Well, the easiest way I know of (and I have NOT researched this much), is to go to the Adobe website. Here’s your link:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html

I recommend just hitting Adobe’s site and updating from the “Get Flash Player” button.

One more note. If there’s anyone out there like me, and you run both IE 7 and Firefox, you may have to perform the update twice (at least I did). I did a manual update in Firefox first, and when I checked the version in IE7, it was still using the old one, so I did a manual update from IE7 and then all was well.

One final tip. You can tell which version of Flash Player your browser is using by going to the Adobe site (www.adobe.com); right click (or control-click on the Mac) on the large animated graphic in the center and choose “About Flash Player”. The current patched version is 9,0,115,0

I’m seeing repeated reports of phishing messages being sent to campuses across the country asking the recipient to please reply with their e-mail username and password.  The examples I’ve seen are very obviously phony, but several large campuses (none in Montana) report significant numbers of users falling for this.  Others report that their spam filters are blocking the inbound message, so I’m hopeful that ours will catch it, but if anyone happens to see one of these come through, please notify me ASAP.