Email
Access mail@ucsf
VPN
HelpCRITICAL SECURITY ALERT: Microsoft ActiveX Control Vulnerability Currently Being Exploited
The United States Computer Emergency Readiness Team (US-CERT) and Microsoft report a serious vulnerability in Microsoft ActiveX control which may allow an attacker to take control of your computer.
An attacker could exploit this vulnerability by convincing an unsuspecting user to access a specially crafted website or HTML email message. The user does not need to do anything to get infected except visit Web sites that’s been hacked.
**This vulnerability is currently being exploited.**
For a complete description of the vulnerabilities and affected software, refer to Microsoft Security Advisory (972890).
AFFECTED SOFTWARE
- Microsoft Windows XP
- Microsoft Windows Server 2003
THIS VULNERABILITY IS NOT A RISK IF YOU ARE USING WINDOWS VISTA.
WHAT YOU NEED TO DO TO PROTECT YOUR SYSTEM
****CURRENTLY THERE IS NOT A FIX FOR THIS VULNERABILITY, BUT MICROSOFT HAS PROVIDED A WORKAROUND (STEPS TO TAKE TO MINIMIZE THE RISK)****
1. Do NOT take action if you have a Computer Support Coordinator (CSC); they will apply the update for you or assist in instructing you.
2. If you do not have a CSC, please refer to refer to Microsoft Security Advisory (972890) on how to obtain more information on applying the workaround
- Disable ActiveX by following the instructions in US CERT’s Securing Your Web Browser document.
- Upgrade to Internet Explorer 7 or later.
ADDITIONAL INFORMATION
- US Cert’s Cyber Security Alert SA09-187A (Non-technical)
- US Cert’s Cyber Security Alert TA09-187A (Technical)
If you have questions about any of the information provided above, you may send email inquiries to Enterprise Information Security.
Tiki Maxwell, CISSP
UCSF Enterprise Information Security
Telephone: 415-514-1363
Tiki.maxwell@ucsf.edu
OAAIS Customer Support Service Desk
7 a.m. - 6 p.m., Mon – Fri
(415) 514-4100, Option 2
customersupport@ucsf.edu
help.ucsf.edu