Windows PC and Mac users who have the Oracle Java JRE web plug-in version 7u10 and below should immediately update to the latest release of Java JRE 7u11 [1], or disable Java from their computer browsers [2].

BACKGROUND

On January 10, 2013, security researchers reported an unpatched vulnerability in Oracle Java 1.7u10. This vulnerability has been labeled CVE-2013-0422

Security professionals comment that attack code that exploits the vulnerability is being “massively exploited in the wild.” Miscreants use such exploits to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting website visitors.

IMPACT

Browsing the web with a vulnerable version of Java installed and enabled means that simply visiting a website or clicking on a link in an e-mail message is enough for an attacker to compromise your computer. This is known as a “drive-by download” [3]. The malicious software installed through these attacks may collect usernames and passwords used on the compromised computer, including credentials for sensitive websites, bank accounts, email etc.

While “safe browsing” to only trusted websites may limit your exposure to drive-by downloads, it does not address the underlying vulnerability and prevent exploitation. Please see “Recommendations” and “Workarounds” below for further steps that should be taken.

PLATFORMS AFFECTED

All versions of Oracle Java 7 (aka JRE 1.7) from the initial release up through update 10 are vulnerable. This affects both Windows PC and Mac OS if you have installed the JRE web plug-in. Oracle maintains that earlier versions of Java are not affected by this particular exploit[6].

RECOMMENDATIONS

• Update Java Immediately - Regularly check for updates and remove old versions of Java. Java 7 update 11 is available at the website http://www.java.com [1].
• Update Anti-Virus/Anti-Malware software – MU campus users who have the latest version of Symantec Endpoint Protection (SEP) 12.1.2015 [9] installed will receive additional protection thru the ‘Proactive Threat Protection’ and ‘Network Threat Protection’ modules. This includes a browser-protection technology which can detect and prevent malicious Java from being executed on client computers.
• Use an alternative web browser – it has been reported that users of the latest versions of Mozilla Firefox, Google Chrome, and Apple’s Safari browsers are provided additional security protections not currently found in the default Windows IE9 web browser [7].
• Exercise caution - Don’t click on web popups, but close the window instead. If they won’t close, open your process list and force your browser to close.

WORKAROUNDS

Disable Java. [2] NOTE: This workaround may prevent certain websites from working correctly, and must be considered in relation to essential enterprise applications like Banner which currently depends on Java 6 – note both Java 6 and Java 7 can both be installed at the same time, but keeping both versions updated may require the use of manual updates).

FURTHER READING

[1] http://java.com/en/download/installed.jsp?detect=jre&try=1

[2] https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

[3] http://en.wikipedia.org/wiki/Drive-by_download

[4]  http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

[5] http://www.oracle.com/technology/deploy/security/alerts.htm

[6] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

[7] https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/

[8] http://krebsonsecurity.com/tag/cve-2013-0422/

[9] http://www.marshall.edu/antivirus

If you have additional questions regarding the content or recommendations in this security bulletin, please contact your departmental IT service provider, the IT Service Desk at itservicedesk@marshall.edu / 304-696-3200, or the IT Office of Security infosec@marshall.edu.

Members of the IT team and ITSP community are still creating and testing the supportability of a number of configurations for both Windows 8 and SEP to ensure compatibility with campus services, appropriate level of protection, and (for personal-owned machines) a simplified but usable product.

We are making the following recommendations:

• Use Microsoft Security Essentials for Personally-owned Machines – Since incorporating future configuration changes into an already deployed (personally-owned) client is difficult, we suggest using the widely available and Microsoft-supported solution of Microsoft Security Essentials (MSE) as a low-risk/no-cost solution for students and personally-owned machines. MSE integrates with the Windows Security Center provides an adequate level of protection until we are ready to support the new release of SEP 12.1R2.
• Use Symantec Endpoint Protection for University-owned Machines – We are still recommending SEP 12.1.2RU2 for University-owned computers as the managed client allows for on-the-fly changes to be made thru the Symantec Management Console. The latest version of SEP 12.1RU2 is available here:  \marshall.edumunetDistributionsSymantecCurrent-Install-Packages_Windows_8_Support . The BASIC package includes the base anti-virus/malware module; the FULL package includes anti-virus/malware, proactive threat protection including browser plug-in support, and network threat protection (NTP) and intrusion detection (IDS) modules.  NOTE: be aware that the NTP module disables the default Windows Firewall and establishes its own firewall access control list. It is this feature which is giving us the most concern as it has the potential to do a lot of good, but also will have a learning curve.

An update: The Marshall University Office of Information Technology now supports the use of Symantec Endpoint Protection 12.1RU2 / ver 12.1.2xxx and newer for Windows 8 OS. Read more.

While there are some legitimate coupon printers, some are bundled with spyware that is designed to harvest personal information for use by advertisers. Cyber-criminals also disguise software as a ‘coupon printer’ application as a  to deliver viruses and other malware to computers. If you chose to use coupon-printing software from home, we strongly recommend that you consider the following precautions to ensure the software is as trustworthy as possible: 1) make sure your anti-virus software is up to date before downloading coupon printers; 2) make sure your anti-virus software is set to block malware and spyware “on access”; 3) only download and install software from reputable websites; and 4) when in doubt, remove coupon printers from computers.

A Growing Target of Opportunity – Since PC’s running Windows OS make up the vast majority of personal computer sales[1], Apple Macs running Mac OS were not as frequently targeted by hackers. Now, a combination of events including growing popularity/afforadbility of the Mac as well as improved security/awareness of PC users – are drawing the hackers attention towards a growing Mac user community. The Mac community is typically not accustomed to many of the threats previously found in the PC community.

Apple Mac OS users can significantly improve the security of their computers by following the same prescriptive advice given to PC users for years:

1. Apply OS and Application Updates on a regular basis. Locate the ‘Software Update…’ link (hint: it’s under  your Apple menu) and make it your new best-friend.
2. Install Anti-virus/anti-malware software and keep it current. MU students, faculty and staff are licensed to install Symantec Endpoint Protection for Macintosh for personally-owned computers.
3. Be very suspicious of any software downloads, e-mail attachments or webpages which attempt to collect/submit your personal information (usernames, passwords, social security and account numbers, etc.). No reputable organization or company will ask you to provide this information in such an insecure manner.
4. When in doubt – DON’T do it. (Alternatively, when in doubt, DO reach out to your departmental IT Service Provider, the MU IT Service Desk , or the MU Information Security team for advice ).

Resources URL’s:
Widespread Virus Proves Macs Are No Longer Safe from Hackers
Think Apple’s Got Your Back?
Apple: Mac Users Should Get Antivirus Software
Apple Patches Java Flaw Exploited by Flashback Trojan
Apple Mac Malware: A short History (1982-2010)

[1] Gartner Says Worldwide PC Shipments Increased…

Download the latest releases

What is the KACE Agent or KBOX?

KACE K1000 Management Appliance (or KBOX for short) by Dell/KACE® is a hardware and software inventory management tool employed campus-wide at Marshall University, primarily to automate and expedite the process of software updates. More information on this appliance can be found at: http://www.kace.com/products/systems-management-appliance/.

Back to top

Why is KACE Needed?

KACE provides numerous benefits such as automated and expedited process of software updates, license management, software management/distribution, inventory management, remote support, better enforced security.

Back to top

What Benefits Will I See as a User?

Faster support, more efficient patch management, remote support, fewer OS support related issues.

Back to top

Does My Machine Have KACE Client Installed?

All university-owned computers will have KACE client pre-installed as part of the default software image. The KBOX client is NOT licensed for use on personally-owned computers.

Back to top

What Types of Information Does the KACE Client Collect?

The KACE Management system assists in the collection of the following types of information for University-owned computers:

• Computer Hardware Inventory
  • Make, model, serial/service tag number
  • Physical specifications such CPU, RAM memory, Hard disk size
  • Network configuration such as Ethernet MAC address, IP address
• Computer Software Inventory
  • Operating system version and patch level
  • Install programs and versions as listed in ‘Add/Remove Programs’
  • Software license compliance (i.e. metering for per-seat and concurrent-use license agreements)
• Computer Security Inventory
  • Last logged on user
  • Security patches applied/missing
  • Change management information (i.e. dates/times when hardware/software changes were reported by the KACE client).

Back to top

Will I Notice the KACE Client on My Machine?

No, the client does not use many resources and runs in the background. The KBOX Client software client will periodically notify you when critical operating system or application updates needed and ask for permission before downloading and installing those updates.

Back to top

How Will I Know When Something is Being Done on My System?

The KACE client is configured to not begin the patch download/update process without your approval. You will see KBOX Alert pop-up window informing you that critical updates needed.
If you are in the middle of an important task and do not wish to be interrupted, you may click the ‘Snooze’ or ‘Cancel’ buttons.

Snooze works similar to an alarm clock; it gives you just a little more time to finish a task, and then KBOX Alert will pop-up again in 30 minutes, to remind you that critical patches are needed.

Cancel will clear the KBOX Alert for the day. You will be reminded during the next scheduled run – generally the next day – that critical updates are needed.

Back to top

What Is The KBOX Client Updating?

The KBOX Alert will notify you of two types of updates: 1) Critical Operating System (Windows or Mac) Updates; and 2) Critical Application Updates (i.e. Acrobat, Flash, Java, QuickTime, etc.).

Back to top

Why Do I See The KBOX Client Pop-Up Again So Quickly?

When your computer first becomes enrolled in the patch management process, there may be quite a number of updates which need to be applied. As a result, do not be surprised if you see the KBOX Alert pop-up several times on that first day. This is normal as some patches require a reboot and some patches need to be applied prior (as a prerequisite) to other patches.

Once your computer has installed all the necessary critical updates, then you should not receive any further alerts until the next time a new security update is released.

Back to top

Can I Still Apply Patches Myself?

Yes. The KACE client does not prevent you from applying patches yourself. However, if you do not apply these updates prior to receiving a KACE Alert, KACE will download and install the update for you.

Back to top

Will KACE Updates Automatically Reboot My Computer (without my permission)?

No. Some critical updates require that your computer be rebooted in order to complete their installation. In those cases, you will receive a second KBOX Alert which will notify you that while the patch is installed, a reboot is needed to complete its installation. When you click ‘YES’, the KBOX client will reboot your computer. You can click ‘No’ if rebooting would interrupt an important task and you will be reminded in 30 minutes. This is similar to ‘snooze’.

The KBOX Client will not reboot the computer until you click ‘Yes’.

Back to top

Will KACE Security Patches Upgrade My Applications to New Versions?

No. Security updates and application upgrades are separate processes. For example, KACE may apply a security update to your Microsoft Internet Explorer (IE) browser to take you from version 7.00 to 7.01 – or upgrade Adobe Acrobat Professional from version 8.1.2.3 to 8.2.3.4; but it will not automatically upgrade you from major versions – IE 7.01 to IE 9.0 or Acrobat 8.x to 10.x. NOTE: In cases where a major application upgrade is needed – e.g. to address major security issues or to support institutional application compatibility – a separate campus upgrade notification will be sent.

Back to top

What If I Have Mission-Critical Applications Which Are Sensitive to Patch Updates?

The KACE Management system provides a great deal of flexibility and does not force us to use a ‘one-size-fits-all’ approach. If you have mission-critical applications (for the institution, department, or yourself) which you believe will not respond well to an automatic update process, please contact the IT Service Desk and open a support request. The IT Service Desk will work with you either a) address the application sensitivity, or b) provide a ‘smart label’ which will include your computer in a patch exception group.
Back to top

Who do I Call If There is a Problem or a Question?

If you have questions, concerns or comments, please contact the Marshall University IT Service Desk:

• 304) 696 -3200 Huntington calling area
• (304) 746-1969 Charleston calling area
• (877) 689-6838 Toll free, outside the Huntington/ Charleston.

Back to top

You can upgrade to the latest maintenance release of Symantec Endpoint Protection:
-11.0.6300.803 for Windows OS including Windows XP, Windows Vista and Windows 7 posted on 6/28/2011.
-11.0.6300.0212 for MAC OS 10.4 (Tiger), 10.5, (Leopard) and 10.6 (Snow Leopard) issued on 6/28/2011.

Download the latest release here

Most computer users are aware of the importance of keeping their computers up-to-date to protect against software security vulnerabilities. Microsoft Update and Apple Update are common methods used notify an individual that their computer needs one or more updates to fix software vulnerabilities. What you may not be aware of is this: there are many other software applications and utilities installed on your computer which do not receive auto-updates from the Microsoft or Apple Update process. These applications such as Adobe Acrobat®, Adobe Flash®, Java®, and Apple QuickTime® are commonly found on your computer and frequently need updates because of security vulnerabilities.

The Marshall University Office of Information Technology understands that detecting and patching these software apps can be a tedious and time-consuming process for a computer user.  We also expect that you have many tasks – both important and enjoyable – which you would rather do besides deal with software updates. This usually means that patch updates are a task left for another time, or to be taken care of by someone else.

Introducing the KBOX Client

Marshall University has licensed a system to automate and expedite the process of software updates. This system is called the KACE K1000 Management Appliance (or KBOX for short) by Dell/KACE®. University-owned computers will have a small software client pre-installed as part of the default software image.

The KBOX Client software client will periodically remind the computer user when critical software updates are needed and ask for permission before downloading and installing those updates.

If you are in the middle of an important task and do not wish to be interrupted, you may click the ‘Snooze’ or ‘Cancel’ buttons.

Snooze works similar to an alarm clock; it gives you just a little more time to finish a task, and then KBOX Alert will pop-up again in 30 minutes, to remind you that critical patches are needed.

Cancel will clear the KBOX Alert for the day. You will be reminded during the next scheduled run – generally the next day – that critical updates are needed.

Restarting Your Computer

Some critical updates require that your computer be rebooted in order to complete their installation. In those cases, you will receive another KBOX Alert  which will notify you that while the patch is installed, a reboot is needed to complete its installation. When you click ‘YES’, the KBOX client will reboot your computer. You can click ‘No’ if rebooting would interrupt an important task and you will be reminded in 30 minutes. This is similar to ‘snooze’.

The KBOX Client will not reboot the computer until you click ‘Yes’.

IMPORTANT: You should save your work and close any open application or browser windows BEFORE you click ‘OK’.

 Frequently Asked Questions (FAQ)

What Is The KBOX Client Updating?
The KBOX Alert will notify you of two types of updates: 1) Critical Operating System (Windows or Mac) Updates; and 2) Critical Application Updates (i.e. Acrobat, Flash, Java, QuickTime, etc.).

Why Do I See The KBOX Client Pop-Up Again So Quickly?
When your computer first becomes enrolled in the patch management process, there may be quite a number of updates which need to be applied. As a result, do not be surprised if you see the KBOX Alert pop-up several times on that first day. This is normal as some patches require a reboot and some patches need to be applied prior (as a prerequisite) to other patches.

Once your computer has installed all the necessary critical updates, then you should not receive any further alerts until the next time a new security update is released.

Can I Still Apply Patches Myself?
Yes. The KACE client does not prevent you from applying patches yourself. However, if you do not apply these updates prior to receiving a KACE Alert, KACE will download and install the update for you.

Will KACE Updates Automatically Reboot My Computer (without my permission)?
No. For computers assigned to faculty and staff, the KACE client is configured to not begin the patch download/update process without your approval. If you do not click ‘YES’, then no updates will be applied. You should save all your open documents and close any open application or browser windows prior to clicking ‘YES’. For certain types of shared-use computers (i.e. computer labs), KACE can be configured to automatically apply updates without user intervention (i.e. after hours or during the next power cycle).

Will KACE Security Patches Upgrade My Applications to New Versions?
No. Security updates and application upgrades are separate processes. For example, KACE may apply a security update to your Microsoft Internet Explorer (IE) browser to take you from version 7.00 to 7.01 – or upgrade Adobe Acrobat Professional from version 8.1.2.3 to 8.2.3.4; but it will not automatically upgrade you from major versions – IE 7.01 to IE 9.0 or Acrobat 8.x to 10.x. NOTE: In cases where a major application upgrade is needed – e.g. to address major security issues or to support institutional application compatibility – a separate campus upgrade notification will be sent.

What If I Have Mission-Critical Applications Which Are Sensitive to Patch Updates?
The KACE Management system provides a great deal of flexibility and does not force us to use a ‘one-size-fits-all’ approach. If you have mission-critical applications (for the institution, department, or yourself) which you believe will not respond well to an automatic update process, please contact the IT Service Desk and open a support request. The IT Service Desk will work with you either a) address the application sensitivity, or b) provide a ‘smart label’ which will include your computer in a patch exception group.

What Types of Information Does the KACE Client Collect?
The KACE Management system assists in the collection of the following types of information for University-owned computers. (Note: The KBOX client is NOT licensed for use on personally-owned computers.):

• Computer Hardware Inventory
  • Make, model, serial/service tag number
  • Physical specifications such CPU, RAM memory, Hard disk size
  • Network configuration such as Ethernet MAC address, IP address
  • Computer Software Inventory
    • Operating system version and patch level
    • Install programs and versions as listed in ‘Add/Remove Programs’
    • Software license compliance (i.e. metering for per-seat and concurrent-use license agreements)
    • Computer Security Inventory
      • Last logged on user
      • Security patches applied/missing
      • Change management information (i.e. dates/times when hardware/software changes were reported by the KACE client).

As smart phones become more and more like digital wallets, it’s common for them to contain things like account numbers, addresses, social security information – in some cases even bank statements and tax documents.

Even though the sensitivity of information that we routinely keep on our phones continues to increase, most people I know fail to take even the most basic of security precautions to help protect themselves against identify theft, fraud, and financial or personal loss.

Though this particular post is specific to the iPhone, since it’s what I and a lot of my friends use, chances are that your smart phone allows for many of the same security precautions. In the case of the iPhone, you can achieve a fairly decent level of security without any additional cost to you by taking advantage of the features of iOS and some free services offered to iPhone owners by Apple.

First Things First: Lock Your Phone

The most basic security precaution you can take is to make sure that your iPhone is using a passcode lock – and that the passcode lock will automatically engage after a brief period of inactivity. Many users put off taking the basic security measure for fear of the inconvenience assoicated with having to enter a passcode to unlock their phone. The truth is, once you train yourself to type your passcode when reaching for your phone, it becomes second nature – and the very minor delay you’ll experience while typing in your passcode is a small price to pay for the extra security you’ll gain.

To set up a passcode lock on the iPhone, open the “Settings” application, and click on “General>Passcode Lock”.

Click “Turn Passcode On”, and you’ll be prompted to enter a passcode to use when unlocking the phone, You’ll enter the passcode twice to make sure that you’ve typed it correctly – and then, once it’s set, you’ll have access to the additional passcode security options.

I recommend setting the “Require Passcode” setting to “After 5 minutes”. This means that, after 5 minutes of inactivity, an attempt to unlock your phone will require that you enter the passcode. I’ve found that this time period is a good trade off between being too long to have real value, and too short to not be excessively annoying.

Make the Passcode Hard to Guess

On newer versions of iOS, you’ll have an additional option in the Passcode Lock settings labeled “Simple Passcode”. By default, “Simple Passcode” is on – and it essentially means that your passcode will need to be a 4 digit number that you’ll type when unlocking the phone. You can, and should, turn this setting off and enter a passcode that is more difficult to guess than the simple 4 digit pin.

If you still want the quick convenience of typing the passcode easily when unlocking, you can set the more complex passcode to a longer series of numbers. As long as everything in the passcode is numeric, you’ll still be presented with the larger number pad keyboard when unlocking – even though you’ve chose a more complex passcode.

Limit the Maximum Number of Unlock Attempts

To prevent someone from trying to break in to your phone if it’s stolen, take advantage of the setting at the bottom of the “Passcode Lock” settings page, labeled “Erase Data”. By default, this is set to off. Turning it on tells the iPhone to completely wipe the content of the device if 10 failed attempts to unlock the iPhone are recorded.

While it may sound scary at first to tell your iPhone to wipe all of your data if there are failed passcode attempts – remember that you get 10 tries. It’s unlikely that someone who should have access to the device would accidentally enter the wrong passcode 10 times in a row. Also remember that if there is a situation where the data is wiped inadvertently (think coworker prank) you always have the option of restoring from iTunes.

Take Advantage of the Free “Find My iPhone” application and Remote Data Wipe

Apple provides a great service called “Find My iPhone” that is available for free to any iOS device owner using their Apple ID (the same email address and password you use to purchase apps in the App Store). Complete instructions for setting up Find My iPhone are available on Apple’s Web Site.

Find my iPhone allows you to login to the portal at http://me.com and locate an iPhone that has gone missing. From that same site, you can also choose to have a message sent that will display on the phone, you can force an audible alarm to play, or you can completely wipe the device data making sure that your personal information is completely inaccessible.

Summary

Given that all of the precautions outlined here are available to you free of charge if your an iPhone owner, you have no excuse not to take these precautions to protect your data. in the new world of the smart phone as digital wallet, personal organizer, and information destination, it’s a necessity.