UCL Computer Security Newsletter - January 2010
The purpose of this newsletter is to keep all security reps and other
interested parties informed about what is happening around UCL
regarding computer security. Further information from the Computer
Security Team is always available at http://www.ucl.ac.uk/isd/common/cst.
1. Phishing continues
Recent attempts have been well thought out and have attempted to lead users to bogus websites purporting to be UCL sites relating to webmail and UCL accounts. These bogus sites have been blocked at the Institutional Firewall where appropriate, but please remind your users to take care to check where they may be taken when they click (by hovering over given links and understanding the implications of what they see).
There is a short educational game available at http://www.ucl.ac.uk/cert/antiphishing/
In particular, we are seeing examples appearing to target owners of mailing lists.
Oracle Updates for Multiple Vulnerabilities - details at http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html - "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 24 new security fixes across all products."
Microsoft Windows EOT Font and Adobe Flash Player 6 Vulnerabilities - Microsoft has released updates to address a vulnerability in the Windows Embedded Open Type (EOT) font engine. Microsoft has also published an Advisory about multiple vulnerabilities in Adobe (Macromedia) Flash Player 6 that is included with Windows XP. Further details at http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx
Adobe has released Security advisory APSA09-03, which describes a vulnerability affecting Adobe Flash. Other Adobe applications that include the Flash runtime, such as Adobe Reader 9, are also affected. This vulnerability is being actively exploited.
Please note all correspondence from the UCL Computer Security Team is digitally signed either with personal PGP keys or the CERT team key (public keys available from http://www.ucl.ac.uk/isd/common/cst/contacts).
This newsletter and previous ones are available at http://www.ucl.ac.uk/isd/common/cst/cst-newsletters (except currently the March 2007 one as that had sensitive information in it).
We welcome feedback on the content and organisation of documents on our web page.