Monday, October 27, 2008

Sun Releases Java(TM) 6 Update 10

As of Oct 27, 2008, the current version of Sun's Java client is Java(TM) 6 Update 10.

Action Required: Please follow our "How To Update Sun's Java Software" to update your Java software.

Fixed: This release contains feature enhancements and bug fixes. This full list of changes may be found here.

Note: Older versions of Sun Java are not removed from your system when downloading and installing new versions from Sun. Therefore, if you have the latest Sun Java version installed, then you should consider removing all older versions of Sun Java from your system. This can be done via "Add/Remove Programs" in the Microsoft Windows "Control Panel".

Friday, October 24, 2008

Audio Problem Troubleshooting Suggestions from Adobe Connect (Breeze)

Issue: Since PSU ITS updated to Adobe Connect v7 earlier this year, there have been intermittent audio issues during Adobe Connect meetings and trainings.

This Tech Alert is in response to an ALERT from Adobe:
In Connect 7, Adobe included an “enhanced” audio solution for PC users when running the audio setup wizard. It’s in the advanced settings area. This is different than Connect v6 and the cause of some of the problems out there. Until the service pack fix is initiated, I believe this enhanced audio feature is defaulting to “on”. We would like everyone to turn that off as a troubleshooting option (and it will default to off with the service pack).

This means everyone in the meeting should have the enhanced audio box checked to “off”. Otherwise, the enhanced audio may create problems with gain and other audio pickup and cause “breaks” in the delivery for everyone (on a congested network).

The service pack referred to is expected sometime in November. We will pass along information as it becomes available. Additional troubleshooting tips received today are posted at http://meeting.psu.edu/node/519.

Action Required (if you use Adobe Connect): EACH TIME you log into an Adobe Connect Meeting, you need to run through the Audio Set-up Wizard to configure your audio. As you go through the Audio Set-up wizard, the last window called “Finished,” click on the Advanced Settings button, then look for the checkbox in the upper right-left portion of your screen. Uncheck the “use Enhanced Audio.”

If you have questions, don’t hesitate to contact Ag IT Support.

Thursday, October 16, 2008

Adobe Releases Flash Player 10 to Address Security Vulnerabilities (Clickjacking)

Adobe Systems has released a new version of its Flash Player software. This version includes a fix for the critical security bug that allowed hackers to hijack your browser in what's come to be known as a clickjacking attack.

On Oct 15, 2008 Adobe released a Security advisory called Flash Player update available to address security vulnerabilities that announced the availability of new Flash Player 10 software. The advisory states in part:

Summary
Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform.


Affected software versions
Adobe Flash Player 9.0.124.0 and earlier.


Severity rating
Adobe categorizes this as a
critical update and recommends affected users upgrade to version 10.0.12.36.

Action Required: Ag IT recommends that you update the Adobe Flash Player on your Enterprise machine to mitigate the effects of clickjacking.
  1. To verify the Adobe Flash Player version number, you can visit the About Flash Player page. If this version is Flash Player 9.0.124.0 and earlier, please complete the remaining steps.
  2. To update to current Adobe Flash Player version, go to the Player Download Center.
  3. Click Agree and install now.
  4. Follow on-screen steps to install.
  5. When the installation completes, you should see the current version of Flash Player displayed on the screen.

Note: If you use multiple browsers, perform the check for each browser you have installed on your computer.

Wednesday, October 08, 2008

Security Risk - Clickjacking

Clickjacking is a nasty security risk — it’s transparent to you the user, easy to put into operation and difficult to stop.

What is Clickjacking? This threat was brought to the public's attention in late September 2008. According to researchers Robert Hansen and Jeremiah Grossman, clickjacking happens when your browser is directed to a malicious Web site when you click on what appears to be a valid link.

How does this happen? First, a hacker has to break in and compromise a good site. The hacker can then set their external, malicious content to be invisible and overlay the normal page with a "transparent" cover. When you click on the normal page, you are in fact clicking on the externally loaded page. The content or page which then loads is whatever the hacker wants. For example, it could install a malware program like a rogue Anti-Spyware program.

In another clickjacking scenario, the page may not need to have the transparent overlay. Instead, the good page may have been hacked to contain JavaScript code that makes the invisible target constantly follow the mouse pointer, intercepting your first click wherever it may be.

On Oct 7, 2008 Adobe released a Security advisory called Flash Player workaround available for "Clickjacking" issue. The advisory states:

SUMMARY
Adobe is aware of recently published reports of a 'Clickjacking' issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. It has been determined that this potential "Clickjacking" issue affects Adobe Flash Player. Adobe is working to address this issue in an upcoming update to Flash Player.

SOLUTION
Customers:
To prevent this potential issue, customers can change their Flash Player settings as follows

  1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
  2. Select the "Always deny" button.
  3. Select 'Confirm' in the resulting dialog.
  4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting.

    Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL:
    http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.

Action Required: Ag IT recommends that you follow the Adobe steps to mitigate the effects of clickjacking.

Note: If you use Adobe Connect (Breeze) for meetings or trainings, you will need to allow these sites access to Flash Player as mentioned in Step 4.

For detailed steps on how to do this, you can use our How To Allow "Camera and Microphone Access" in Adobe Connect (Breeze) steps.

Wednesday, October 01, 2008

Another Phishing message circulating

Faculty and staff are reminded that the College and University will *NEVER* request account/password information via email.

You should never reply to a message asking for account information, nor should you ever click a link from a message that asks for account information. Penn State and the College of Ag Sciences will never ask for your account/password in this method. If you receive messages of this type in the future, simply delete the message.

Here is an example of the latest phishing that we have seen in the College.


Date: Wed, 1 Oct 2008 14:28:01 +0200 (CEST)
Subject: Account Expire in 4 Day(s)
From: "IT SERVICE"


Dear Webmail User,

This message was sent automatically by a program on Webmail which
periodically checks the size of inboxes, where new messages are received.
The program is run weekly to ensure no one's inbox grows too large. If
your inbox becomes too large, you will be unable to receive new email.
Just before this message was sent, you had 18 Megabytes (MB) or more
of messages stored in your inbox on your Webmail. To help us re-set
your SPACE on our database prior to maintain your INBOX, you must
reply to this e-mail and enter your

Current User name ( )
and Password( ).

You will continue to receive this warning message periodically if your
inbox size continues to be between 18 and 20 MB. If your inbox size
grows to 20 MB, then a program on Bates Webmai will move your oldest
email to a folder in your home directory to ensure that you will
continue to be able to receive incoming email. You will be notified by
email that this has taken place. If your inbox grows to 25 MB, you
will be unable to receive new email as it will be returned to the
sender.
After you read a message, it is best to REPLY and SAVE it to another
folder.

Thank you for your cooperation.
WEBMAIL Help Desk