School of Medicine Home > Dean's Office > IRT > Security

Welcome to the IRT Information Privacy and Security web page. Please use this site as a reference tool to assist you in security related issues that are prevalent within the School of Medicine's network here at Stanford University.

Security News - July 12th

Its that time again. Microsoft has released the June batch of monthly patches. Please read on due to the fact that this round of patches are very important to install so please, patch as soon as possible. Thank You.
***********************************************************************************
Security Bulletin MS07-030: Vulnerabilities in Microsoft Visio(927051)
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical

Executive Summary: This important update resolves two privately reported vulnerabilities in addition to other security issues identified during the course of the investigation. The privately reported vulnerabilities could allow remote code execution if a user opened a specially crafted Visio file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. User interaction is required to exploit these vulnerabilities. This is an important security update for supported versions of Microsoft Visio 2002 and Microsoft Office Visio 2003.
Recommendation. Microsoft recommends that customers should apply the update at the earliest opportunity.

***********************************************************************************

Security Bulletin MS07-031: Vulnerability in the Windows Schannel Security Package(935840)
Maximum Severity Rating: Critical
Executive Summary: This critical security update resolves a privately reported vulnerability in the Secure Channel (Schannel) security package in Windows.The Schannel security package implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using an Internet Web browser or used an application that makes use of SSL/TLS. However, attempts to exploit this vulnerability would most likely result in the Internet Web browser or application exiting. The system would not be able to connect to Web sites or resources using SSL or TLS until a restart of the system. This is a critical security update for supported editions of Windows XP, important for editions of Windows 2003, and moderate for editions of Windows 2000.
Recommendation. Microsoft recommends that customers apply the update immediately.

***********************************************************************************

Security Bulletin MS07-032:Vulnerability in Windows Vista Could Allow Information Disclosure(931213)
Impact of Vulnerability: Moderate
Executive Summary: This moderate security update resolves a privately reported vulnerability. This vulnerability could allow non-privileged users to access local user information data stores including administrative passwords contained within the registry and local file system. This is a moderate security update for all supported editions of Windows Vista. This security update addresses the vulnerability by setting Access Control Lists on user information stores that restrict access to privileged users.
Recommendation: Microsoft recommends that customers consider applying the security update.

***********************************************************************************

Security Bulletin MS07-033: Security Update for Internet Explorer(933566)
Impact of Vulnerablity: Critical
Executive Summary: This critical security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. All but one of these vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. One vulnerability could allow spoofing, and also involves a specially crafted Web page. In all remote code execution cases, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. For the spoofing case, exploitation requires user interaction.This is a critical security update for supported releases of Internet Explorer 5.01 and Internet Explorer 6, and most supported releases of Internet Explorer 7. This security update addresses two vulnerabilities by setting the kill bit for COM objects and for the rest, by modifying the way that Internet Explorer handles calls, error conditions, and special features such as Language Pack Installation and Speech Control.

Recommendation. Microsoft recommends that customers apply the update immediately.

***********************************************************************************

Security Bulletin MS07-034:Security Update for Outlook Express and Windows Mail (929123)
Impact of Vulnerability: Critical
Executive Summary: This critical security update resolves two privately reported and two publicly disclosed vulnerabilities. One of these vulnerabilities could allow remote code execution if a user viewed a specially crafted e-mail using Windows Mail in Windows Vista. The other vulnerabilities could allow information disclosure if a user visits a specially crafted Web page using Internet Explorer and cannot be exploited directly in Outlook Express. This is a critical security update for supported editions of Windows Vista. This security update addresses these vulnerabilities by changing the MHTML protocol handler in Windows so that it securely handles MHTML URLs in redirection scenarios and scenarios involving ambiguously typed content.

Recommendation. Microsoft recommends that customers apply the update immediately.

***********************************************************************************

Security Bulletin MS07-035: Vulnerability in Win32 API Could Allow Remote Code Execution (935839)
Impact of Vulnerabilty: Critical
Executive Summary: This critical security update resolves a privately reported vulnerability in a Win32 API. This vulnerability could allow remote code execution or elevation of privilege if the affected API is used locally by a specially crafted application. Therefore applications that use this component of the Win32 API could be used as a vector for this vulnerability. For example, Internet Explorer uses this Win32 API function when parsing specially crafted Web pages. This is a critical security update for all supported versions of Windows 2000, Windows XP, and Windows Server 2003. This security update addresses the vulnerability by changing the way the Win32 API validates parameters.

Recommendation. Microsoft recommends that customers apply the update immediately.

***********************************************************************************

Contact Us: Phone: 5-8000(option #4) Address:251 Campus Drive MSOB X300

© 2008 Stanford University School of Medicine     |     Terms of Use