Skip to site navigation

UCL Computer Security Newsletter - March 2006

The purpose of this newsletter is to keep all security reps and other
interested parties informed about what is happening around UCL
regarding computer security. Further information from the Computer
Security Team is always available at http://www.ucl.ac.uk/cert.

1. Updates

Macs AND Windows

There exists a *critical* vulnerability within Microsoft office,
which can lead to the execution of arbitrary programs. This
vulnerability affects both Windows and Mac version. Of course, on a
windows machine, if people are using an "administrator" account for
day-to-day operation of the machine this can lead to a full system
compromise. Even if users are not using admin rights, it is trivial
for privilege escalation to occur leading to system level access,
including Mac OSX.

As always it is imperative that you do not open any emails, for
example mails containing "joke" power point files, from people you do
not know, or are not expecting. Unfortunately there exists a culture
of `happy clicking' within UCL which greatly degrades the security of
the network for others. Whereas it used to be true that people
generally accepted running executables from people unknown to them to
be dangerous, unfortunately people do not apply the same principles
to other file formats, which is precisely why these file types are
beginning to be targeted.

For more details, please see:

http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx

and of course:

http://office.microsoft.com/en-us/officeupdate/default.aspx

2. Institutional Firewall

It is UCL policy that all departments will be protected by the
institutional firewall. We are contacting departments with a
schedule for placing them behind the Institutional Firewall.

3. General

Please note all correspondence from the UCL Computer Security Team is
digitally signed either with personal PGP keys or the CERT team key
(public keys available from http://www.ucl.ac.uk/cert/contacts.html).

This newsletter and previous ones are available at http://
www.ucl.ac.uk/cert/cst-newsletters/index.html.

We welcome feedback on the content and organisation of documents on
our web page.