Computer Security

Welcome to the Computer Security blog for Emerson College. This will be a place to post information about technology news, current threats from viruses or other "malware," software and operating system updates, or any other related information. One goal is to provide technical information in a way that is understandable by non-technical people. Another is to post more details about security initiatives than might be possible in an e-mail or e-Campus posting. If you have questions or suggestions for future posts, please feel free to contact me.

Adam Travis
Network and Information Security Manager
adam_travis@emerson.edu

When we talk about computer updates and security patches, we are often talking about operating systems, like Windows XP or Macintosh OSX. Most of the critical security flaws that are widely reported are in those products or web browsers like Internet Explorer or Safari. What is not mentioned very often is all of the other software on your computer, like QuickTime, iTunes, or Adobe Reader. Many of those programs access the internet and are vulnerable to attack. You might not even know some programs are there, like the Flash Player which allows you to watch some videos or animations in your web browser.

Best practice for keeping your computer safe from attacks is to keep all of this software up to date. Many programs will update themselves or tell you when updates are available, so I am focusing on some of the most common programs that you may have to update yourself. For most of these products you can find your current version of a program by going to the menu bar and selecting Help, then About [Product Name].

This is just a few of the programs you may have installed. Any other software on your computer that is not part of the standard Emerson configuration must also be updated. And, of course, please run any and all updates you are prompted to run for your operating system in a timely manner. If you have questions, or need assistance, please contact the Help Desk.

That monthly occasion is upon us once again: Patch Tuesday!

For those of you who haven't heard of this event, here's a quick overview. Microsoft releases security-related and other software patches on the second Tuesday of every month. They will usually post some general information a few days before "Patch Tuesday" about how many patches they will release and the highest severity-rating (in other words, how important they are in terms of security). That let's us know if there will be any "critical" patches coming, but not how many will be critical or what vulnerabilities they will be patching. Sometimes they will also let us know that patches will require the computer to be restarted as part of the installation process.

In the past, we would wait for the patches to be released and if they looked important we would schedule times to get all of the college's systems updated in the following two weeks. In recent months, however, viruses and other code that exploits unpatched systems have spread through the Internet less than 24 hours after the patches are released. To best protect Emerson College's network and computers, IT staff will be patching systems very soon after the updates are made available. As a result, you should anticipate some early morning interruptions of network services for several days following the second Tuesday of every month. If there is a particularly dangerous vulnerability, we may begin patching critical systems starting Tuesday at 5:00 P.M. As always, we will try to minimize the disruption to campus systems.

PATCHING EMERSON COMPUTERS:
Almost all Windows desktop and laptop computers are configured for automatic updates, so all of the computers in your department should download the updates without requiring any user intervention. The default setting is to check for updates every day at 3:00 A.M. There is no harm in checking to make sure computers are up to date (see below) or checking the Automatic Update settings.

To check Automatic Update settings, go to the Control Panel and double-click the Automatic Updates icon (classic view) or click Security Center, then Automatic Updates (category view). To manually check for updates at any time, visit http://windowsupdate.microsoft.com/ using the Internet Explorer web browser. If given the option “Get Microsoft Update today!” you can select it to check for updates for a wider range of Microsoft products, including Office. If you are prompted to restart the computer, you should do so immediately in order for the updates to take effect.

PATCHING YOUR OWN COMPUTER:
You can use the steps above to check if your computer is set to receive automatic updates or to manually check for updates. Additionally, the I.T. Help Desk has information on Computer Maintenance and Security, with specific information for Windows Maintenance and Mac Maintenance.

In October, Microsoft released Internet Explorer 7.0 (IE7) for download on their website. On November 10, they began pushing the update out to users via Automatic Updates and the Windows Update web site. This new version of IE adds a number of new features including tabbed browsing, anti-phishing controls, handling RSS feeds, and easier searching. I'll try to respond to some of the most common questions I have been getting about it.

Should I upgrade now?
For most people at Emerson College, I recommend not upgrading at this time. There are many applications that use IE and some of them have not been updated yet to work with IE7. This is especially important if you use WebCT or Magic Service Desk Express; both of which we have been notified will not work correctly with IE7 at this time.

When should I upgrade?
It's tough to say. If you don't use or rely on any special applications that work with IE, you could upgrade at any time. If you do use anything that might rely on IE, you may want to wait a few months or do some thorough testing before you install this new version. If you are not sure, you might be better off waiting. If you use WebCT, definitely do not upgrade until IE7 is certified to be compatible with WebCT.

Is IE7 more secure?
Yes (we think). It definitely adds some good security features and smarter default settings. It's not perfect and I'm sure researchers and hackers will continue to find security flaws in the program. If you are really concerned about security, I would recommend using Firefox as your primary browser (see below).

Can I install IE7 and still use IE6?
No, once you upgrade to version 7, you will no longer be able to use IE 6; there is no way to run both versions on the same copy of Windows. You will be able to uninstall IE7, which will roll you back to IE6, but I wouldn't want to do that all the time.

Will my computer update automatically?
No. Currently Emerson is blocking IE7 from coming as an Automatic Update. You may still see IE7 as available if you use the Windows Update or Microsoft Update web sites. You can uncheck the box before you begin installing updates. If you don't see that or forget, IE7 will ask you to confirm before it begins installing. You will be given the chance to not upgrade or to be reminded later. For more information about how Microsoft is distributing this update, there is a good article on ars technica.

Once I install IE7, will I still get security patches for it through Automatic Update or Windows Update?
Yes, IE7 will get security patches in the same way as IE6. Even while Emerson is blocking IE7 from Automatic Updates, once you install it any security or other patches will not be blocked and will be immediately available.

Will my web pages look the same?
Maybe they will, and maybe they won't. If you're a web developer (professional or aspiring), you should definitely do some testing with IE7. You can also consult Microsoft's IE 7 checklists or Readiness Toolkit.

Can I install IE7 with Windows 2000?
No, IE7 will only be available for Windows XP and Windows Vista. If you use a Windows 2000 computer owned by Emerson College, please contact the Help Desk to see if you can be upgraded to Windows XP. (Look for more info on Windows Vista coming soon.)

Can I use Firefox instead?
YES!, Mozilla has just released Firefox 2.0, which has a lot of great features including phishing protection, spell checking for web forms, and the ability to clear your private browsing data with a single click. It is also highly customizable and known for having a large community of developers. Most web sites or programs that worked with an earlier version of Firefox should work with version 2.0. One possible exception is WebCT, which is not yet approved for use with the new versions of either IE or Firefox. You can download Firefox from http://www.getfirefox.com. (I'll try to add a separate blog entry about Firefox soon.)

How does IE7 compare to Firefox 2.0?
I'm biased--I know this and I admit it. I prefer Firefox for just about everything and only use IE when I have to. If you would like a little more detail from people who are a little less biased, check out the CNET Browser Prizefight.

If you have any other questions, e-mail me or post a comment in this blog.

Apple has just released Security Update 2006-007 which fixes 31 vulnerabilities in Mac OS X. Some of the vulnerabilities are serious enough that a hacker could take over your system. The update effects many components including AirPort, perl, PHP, FTP, and the Security Framework.

To make sure your computer is up-to-date, you can run Software Update to check at any time. For instructions on how to run Software Update, please see Mac Maintenance on the Help Desk web site or Mac OS X: Updating your software on Apple's web site. You should also make sure your Mac is periodically checking for updates--this can be set in the Software Update pane of the System Preferences.

And don't rest on your security laurels just yet. There are still a number of other publicly known vulnerabilities in Mac OS X. For more information on this update and what wasn't fixed, see this article on CNET News.