Security Maintenance: Early September - Microsoft Windows

Who:  Microsoft Windows computer users

What:  Early September Security Maintenance

When:  Sept 6, 2007

How:
Windows computers running Apple iTunes, IBM/Lenovo Access Support, Microsoft MSN Messenger, Yahoo Messenger or Sun Java may be vulnerable to exploits. The most serious of these vulnerabilities may allow an unauthorized user to take complete control of an affected system by convincing the user to open a maliciously crafted music file, website, or voice chat.

What You Need To Do:
If you suspect your computer has already been compromised, STOP! Read and follow Responding to a Compromised Computer.

If your computer is managed by a Carnegie Mellon departmental computing administrator, please consult that person before making any system changes.

If your computer is NOT managed by a Carnegie Mellon departmental computing administrator, follow the detailed steps below.

NOTE: You must login with an administrative account/password to complete steps marked with ***.

1. Upgrade Apple iTunes (if installed)***
   Recent versions of iTunes and Quicktime install the Apple Software Update service. If available, use the Apple Software Update service to automate your upgrade. Otherwise, download and run the full manual installer.
   
   Automated Apple Software Update
   1. Click the Start button and choose All Programs.
   2. Select Apple Software Update from the programs list.
   3. If updates are found, click Install.
   4. If prompted to reboot, reboot and then repeat from Step 1 until no updates are found.
   
   Manual Install
   Download and install Apple iTunes 7.4 or higher from Download - Apple iTunes
   
   
2. Upgrade IBM/Lenovo Access Support (IBM/Lenovo hardware users ONLY)***
   Download and install Lenovo Automated Solutions Fix Pack 1 from Download - Lenovo Automated Solutions
   
   
3. Upgrade Instant Messaging Programs (if installed)***
   
   Microsoft MSN Messenger 7.x
   Discontinue using MSN Messenger because no patch is available for the recently discovered security issue. Instead, switch to Windows Live Messenger for the same functionality. Download and install Windows Live Messenger 8.1 or higher from Download - Windows Live Messenger
   
   Yahoo Messenger
   Download and install Yahoo Messenger 8.1.0.421 or higher from Download - Yahoo! Messenger
   
   
4. Verify & Update Sun Java***
   Check that you have the latest version of Sun Java and install recommended updates by visiting Verify & Update - Sun Java
   
   
5. Run Symantec LiveUpdate***
   Windows instructions
   
   
6. Secure Your Computer***
   Windows Vista instructions
   Windows XP instructions

Contact:
Please direct any questions or comments to the Computing Services Help Center at x8-HELP (4357) or advisor@andrew.cmu.edu, or to your departmental administrator or DSP consultant.

• Apple Article ID 306404: About the security content of iTunes 7.4
• Security update for Lenovo Inline Automated Solutions
• FrSIRT ADV-2007-2987: Microsoft MSN Messenger Video Conversation Handling Code Execution Issue
• Yahoo! ActiveX Control Update
• Sun Alert ID 103024: Vulnerability in the Java Runtime Environment Font Parsing Code may Allow an Untrusted Applet to Elevate Privileges