Skip to site navigation

UCL Computer Security Newsletter - November/December 2006

The purpose of this newsletter is to keep all security reps and other
interested parties informed about what is happening around UCL
regarding computer security. Further information from the Computer
Security Team is always available at http://www.ucl.ac.uk/cert.

1. Updates

Apple

Apple has released Security Update 2006-007 to correct multiple
vulnerabilities affecting Mac OS X, Mac OS X Server, Safari web
browser. Vulnerabilities in OpenSSL, gzip, and other products are
also addressed. The most serious of these vulnerabilities may allow a
remote attacker to execute arbitrary code. Attackers may take
advantage of the less serious vulnerabilities to bypass security
restrictions or cause a denial of service.

Oracle SQL Servers

A great deal of press has been focused upon Oracles `unbreakable'
claim, with many security researchers now targeting the SQL
platform. As always, it is extremely important to patch your SQL
servers, as these are quite often overlooked in patch strategies and
require manual patching:
http://www.nextgenss.com/papers/hpoas.pdf
http://www.petefinnigan.com/orasec.htm

2. Police and Justice Act

This was passed recently. The part that concerns us is that dealing
with the provision of tools that can be used to access a system in an
unauthorized fashion. There is a lot of discussion going on on some
security lists about this as it may affect, e.g. us supplying tools
to you that have uses both for good and evil. For now, until we have
any definite direction as to the extent of what we can provide you
with, we will err on the side of caution and not give out the
information.

Further details at http://www.out-law.com/page-7501

3. Remote Desktop Protocol - rdp

Last month we warned you of a serious vulnerability with rdp. Simon
has now written a document
(http://www.ucl.ac.uk/cert/openssh_rdp_vnc.pdf) about better ways
of achieving remote access to your systems.

4. Privacy Stickers

Just a reminder about the need to have warnings about privacy
expectations at UCL on ALL your machines - both public access ones
and staff desktops. We can supply you with stickers for your
machines - just email cert@ucl.ac.uk and let us know roughly how many
you need. We are happy to supply these whenever asked by internal
post, but they are expensive and we would prefer not to give you more
that a few months' requirement.

5. Institutional Firewall

It is UCL policy that all departments will be protected by the
institutional firewall. We are over half way there going by network
prefixes alone. Since we've, in the main, been dealing with the /24
first, we can confidently say that we are well over half way there
with respect to hosts/people protected.

6. General

Please note all correspondence from the UCL Computer Security Team is
digitally signed either with personal PGP keys or the CERT team key
(public keys available from http://www.ucl.ac.uk/cert/contacts.html).

This newsletter and previous ones are available at
http://www.ucl.ac.uk/cert/cst-newsletters/index.html.

We welcome feedback on the content and organisation of documents on
our web page.