Information System Security Meeting

November 8, 2012

Meeting Summary

Time: 1:30 p.m.

Location: Room 315AgriLife Services

Next meeting – December 13

Action items fromNovember meeting –

Gene Curtis – November Microsoft patches to be applied to systems on Nov 17-18 – PENDING

Jay Carper – PENDING patch application of Exchange patches -

Gene Curtis – Redhat patches will be deferred until a later date

Agenda:

  • Review recently released patches for AIT OSs
  • Microsoft Operating Systems and Products – patches forNovember2012

Four CRITICAL, One IMPORTANT and One MODERATE

  • See AgriLife ISO Summary at -

(corrected link)

Additional resources providing Microsoft patch details –

  • RedHat products–all RedHat systems(except TIGM/Txgen) are current as of Oct 17

Patches released since application of RedHat updates in order of significance

Critical firefox update – Oct 26

Important Java 1.6.0 Open Development Kit update

  • Ubuntu implementation – All Ubuntu platforms current as November 6.

NOTE: all Ubuntu installations for Lubbock are now running version 12.04.

  • NetPods - Debian implementation – All systems running the current Debian release (6.05)
  • Application updates
  • AdobeFlash update issued on November6 (version 11.5.502.110)
  • Adobe Flash update for Internet Explorer 10 on Windows 8
  • Adobe Reader and Acrobat update issued on August 14 (10.1.4)
  • Google products – Chrome update(version 23.0.1271.64) issued on November 7
  • Mozilla products –
  • Firefox – versions 16.0.2and ESR 10.0.10 released on Oct 26
  • Thunderbird – versions 16.0.2 andESR 10.0.10 released on Oct 26
  • SeaMonkey – version 2.13.2 released on Oct 26
  • Oracle Products –

MySQL – Oracle MySQL patch update issued on Oct 16 – community edition

Versions 5.1.66, 5.5.28 and 5.6.6 are the current product versions

Java –

  • current release is 6.37– update issued on Oct 16
  • current release is 7.09 – update issued on Oct 16
  • PHP products -

PHP 5.4.7 and 5.3.17 released – Oct 18

Detailed patch content and current application versions

Microsoft – patch release

Microsoft Security Bulletin Summary for November 2012

RedHat

Patches applied to RedHat Systems on Oct 17

Ubuntu implementations for Lubbock – installed version 12.04

NOTE: Ubuntu version 12.04 has been deployed on all systems for Lubbock.

All Ubuntusecurity patches issued prior to November 6 have been applied.

Debian - Current version of Debian is 6.0.5

Limited deployments remain - all Netpods are running the current version.

Applications

Adobe products

ColdFusion –

  • ColdFusion patch against a denial of service vulnerability – Sept 11

Reader/Acrobat –

  • Current version 10.1.4 released on August 14 –
  • Adobe Acrobat and Reader XI released on Oct 17

Flash –

  • version 11.5.502.110 released on Nov 7
  • version 11.3.375.12 (flash for Internet Explorer 10) released on Nov 7

Shockwave player

  • version 11.6.7.638 released on October 23 –

AIR update–

  • version 3.5.0.600 released onNov 7

Apple products

Apple operating systems –

Update of Apple Safari to version 6.0

Mountain Lion OS-X version 10.8 released on July 24

Security update issued on September 20

OS-X - Security update 2012-004 for Snow Leopard (10.6.8), Lion (10.7.x) and Mountain Lion (10.8.x) – September 19

Leopard (OS-X 10.5.8) Security update issued on September 20

OS-X - Security update 2012-003 for Leopard to address flashback malware

Java – current release is 1.6.0_37 – patch issued on October 17

Mac OS-X version 10.7 and later (also known as 2012-006)

Java Update 6

Mac OS-X version 10.6.8

Java Update 11

iOS – current release is 5.1.1 – patch issued on May 7

Safari – current release is 5.1.7 - patch issued on May 9

Google products

Chrome –

  • New Linux, Windows, Mac and Chrome Frame version 23.0.1271.60released – Nov 7

Mozilla products

Firefox

Version 16.0.2 of Firefox was released on Oct 26 –

Version 10.0.10 ESR of Firefox was released on Oct 26 -

  • Security vulnerabilities addressed in version 16.0.2/10.0.10

Note: Version 16.0.2 corresponds to version 10.0.10 for Extended Support Release

Thunderbird

Version 16.0.2 of Thunderbird was released on Oct 26

Version 10.0.10 ESR of Thunderbird was released on Oct 26.

  • Security vulnerabilities addressed in version 16.0.2/10.0.10

SeaMonkey – current release is 2.13.2– patch issued on Oct 26 -

Oracle-

MySQL server updated

Oracle MySQL patch update issued on June 12

Versions 5.1.63, 5.5.24 and 5.6.6 are the current product versions

Java– release announcement

  • current release is 6.37 – Update issued on Oct 16
  • current release is 7.09 – update issued on Oct 16

Download link -

Recent Nessus scan results

Agricultural Leadership and Education – Bill Cochran

Scan results from Nov 1

•High 0 (unchanged from Oct 1)

AgEconomics – Suzy Pryor

Scan results as of Nov 1

•High 0 (down from 4 for Oct 1)

Amarillo/Bushland/Vernon - Trudy Wallace

Scan results as of Nov 1

•High 0 (unchanged for the previous month)

Animal Science – Amanda Cockerham

Scan results as of Nov 1

•Critical 3 (up from 0 last month)

  • High 3 (down from 4 last month)

Beaumont – Jim Medley/Jin Wang

Scan results from Nov 1

•High 0 (unchanged from last month)

Blackland Research Temple – Gaylon Ivey

Scan results from Nov

•High 2 –(report from Oct did not run successfully)

Bio and Ag Engineering Nessus results – David Riggs

Scan results from Nov 1

•Critical 1(unchanged from last month)

Bio-Bio Nessus results – Ed Evans

Scan results from Nov 1

•Critical 5 (for the previous month, five critical vulnerabilities were identified as high)

  • High 2 (for the previous month a total of seven vulnerabilities were identified – five of which were critical)

Dallas Nessus results – Dean Phillips/John Munoz

Scan results from Nov 1

•High 0 (unchanged from the previous month)

El Paso Nessus results – Dong Zhang

Scan results from Nov 1

•High 0 (unchanged from the previous month)

Entomology Nessus results – Mark Wright

Scan results from Nov 1

•Critical 1 (for the month of Oct, two critical vulnerabilities were identified – one was a false positive)

  • High 3 (unchanged from previous month)

EcoSystem Science and Management Nessus results – Jeff Wythe

Scan results from Nov 1

•High 5 (third month with 5 high vulnerabilities)

Harris County Nessus results – Steve Winner

Scan results from Nov 8

  • High 0 (unchanged from the previous month)

Horticulture Nessus results – Paul Greer

Scan results from Nov 1

•Critical 1 (up from zero last month)

Lubbock Nessus results – David Pointer

Scan results from Nov 3

•High 0(unchanged from last month)

NSFC/NUT Nessus results – Tim Dennis

Scan results fromNov 8

•High 0 (unchanged from last month)

Poultry Science Nessus results – Robert Pottberg

Scan results from Nov 3

•Critical 1 (critical vulnerability was identified in the Oct report – however it was overlooked)

  • High 0 (unchanged from last month)

Recreation Parks and Tourism Nessus results – David Burdette

Scan results from Nov 3

•High 0 (unchanged from last month)

Soil and Crop Sciences – Kevin Moore/Scott Vajdak

Scan results from Nov 4

•High 0 (unchanged from last month)

TIGM/TEXGen Nessus results – Michael McLeod

Scan results from Nov 3

•Critical 8 (down from 9 for the previous month)

  • High 17 (up from 15 for the previous month)

TWRI/IRNR – Michael Foggett

Scan results from Nov 3

•High 0 (unchanged from previous month)

Weslaco Research Center – John Munoz

Scan results from Oct 24

•High 0 (down from 2 for the previous month)

Wildlife and Fisheries/Plant Pathology – Chris Court

Scan results from Nov 8

High 0 (unchanged from previous month)

Background on AgriLife IT Patch methodology as of Jan 2012

As a routine process in the monthly ISS meeting, a review of the recent patches released by Microsoft (and other vendors) is performed.

The specific objectives are as follows:

•Determine relevance of patches released by vendors to systems deployed by AgriLife IT

•If vulnerabilities addressed by the patch present an exposure to AgriLife IT resources, a schedule is identified for the application of patches.

oA focus on server system deployments has always been the primary objective

oWorkstation deployments began utilization of WSUS services in January 2012

As of September 2012, AgriLife Academic Departments utilizing WSUS include:

  • Recreations Parks and Tourism
  • ALEC
  • Animal Science
  • BAEN (Ag Engineering)
  • Entomology
  • Ecosystems (ESSM)
  • Plant Pathology
  • Soil & Crop
  • Wildlife & Fisheries

Note: As of September 2012, all AgriLife Research centers are now using WSUS.