Critical Security Alert: September Microsoft Security Bulletins Include Vulnerabilities Affecting Microsoft Windows and Microsoft Outlook. Immediate Action Required.
Tuesday, September 8, 2009
Microsoft Corporation has announced five new critical security vulnerabilities affecting Microsoft Windows and Microsoft Outlook. CSSD recommends that users immediately identify and install the security updates necessary to repair these vulnerabilities by using the Pitt Software Update Service. If you are not already using this service, you can sign up for it by visiting technology.pitt.edu and selecting "Pitt Software Update Service" from the Quick Launch menu on the main page. The correct updates for your computer will then be installed on the schedule you specify.
The five critical security vulnerabilities are listed below. An attacker who successfully exploits any of these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights.
- Microsoft Security Bulletin MS09-045 describes a vulnerability in Microsoft JScript that could be exploited if a user visits a specially crafted Web page. JScript is a scripting language that is often used to make Web sites more flexible or interactive.
- Microsoft Security Bulletin MS09-046 describes a vulnerability in DHTML Editing Component ActiveX control, which provides an HTML editor that you can use to support dynamic Web site HTML editing in software. This vulnerability could be exploited if a user visits a specially crafted Web page.
- Microsoft Security Bulletin MS09-047 describes two vulnerabilities in Windows Media Format that could be exploited if a user opens a specially crafted media file.
- Microsoft Security Bulletin MS09-048 describes several vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing that could be exploited if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service.
- Microsoft Security Bulletin MS09-049 describes a vulnerability in Wireless LAN AutoConfig Service, which is a service that configures wireless security and connectivity settings. This vulnerability could be exploited if a client or server with a wireless network interface enabled receives specially crafted wireless frames. Systems without a wireless card enabled are not at risk from this vulnerability.
In addition to installing the Microsoft patches, CSSD also recommends that all users install Symantec AntiVirus software and use the LiveUpdate feature to get the latest virus definitions. Symantec AntiVirus is available at no cost to students, faculty, staff, and departments from CSSD Software Licensing Services, 105 Bellefield Hall, and can also be downloaded from software.pitt.edu.
Please contact the Technology Help Desk at 412 624-HELP [4357] if you have any questions regarding this announcement.