DESCRIPTION:

A vulnerability has been reported in Apple iTunes, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified boundary error when processing album cover art. This can be exploited to cause a buffer
overflow via a specially crafted music file. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in versions prior to 7.4.

SOLUTION:

Update to the newest version.

iTunes for Mac:
http://www.apple.com/itunes/download/

iTunes for Windows:
http://www.apple.com/itunes/download/

Pangea will be unavailable for a couple of hours on Wednesday, August 29th, from 7:00pm until around 10:00pm. The upgrades applied during this time require several restarts and some testing to ensure success. Please be sure to have all files on Pangea closed by this time. This series of upgrades should be the last outage for quite a long time. Thank you for your patience and please let me know if you have any questions or concerns.

As you may recall, in the past RamCT (the upgrade to WebCT) has required that Windows computers use a specific, older version of Java to work properly.  Recently, ACNS applied a patch to RamCT.  Windows PC's can now use the current version - Java 6 Update 2 (JRE 1.60_02-b06) with RamCT.  This is the version we are recommending for Fall 2007 for Windows 2000/XP and Vista computers.

We're not sure what will happen with RamCT and new releases of Java - users are still asked to turn off Java auto update and use the version CSU has tested and recommended, unless you will not be using RamCT on a particular machine.

Additional information on RamCT and Java, including a link to download Java 6 Update 2 is available at:

http://help.ramct.colostate.edu/JulyJavaUpdate.aspx

For Mac OS X users, running Software Update under System Preferences will update the Apple version of Java, which is working well with RamCT.

Please let me know if you have any questions or concerns.

Pangea will be unavailable on Wednesday, August 8th starting at 7:00pm through around 10:00pm so that I can install some pretty major hardware upgrades. During this time the Pangea file services and web services will not be in available. Please be sure that you have all Pangea files closed during this time to avoid data loss. I will send out an e-mail to everyone once the work is complete. Thanks for your patience and please let me know if you have any questions or concerns.

A vulnerability exists in Java, and live exploit code is circulating on the Internet. No reliable symptoms are available to tell whether a machine has been exploited, so it is important to get this one patched as soon as possible.

This issue can occur in the following releases (for Windows, Solaris, and Linux):

• Java Web Start in JDK and JRE 6 Update 1 and earlier
• Java Web Start in JDK and JRE 5.0 Update 11 and earlier

This issue is addressed in the following releases (for Windows, Solaris, and Linux):

• Java Web Start in JDK and JRE 6 Update 2 or later
• Java Web Start in JDK and JRE 5.0 Update 12 or later

In general, Java should be updated as soon as possible. Note that some applications are tested and certified only on particular revisions of Java, so make sure that the applications you use in your environment are OK before effecting this update across the board.

***RAMCT Chat Alert***

We have tested RamCT, and the Chat feature (the only Java-depended piece we're currently using) works fine on Java version 5.0 update 12, which is patched for this vulnerability. NOTE: RamCT Chat does not currently work with ANY revision of Java 6. If you use the Chat feature of RamCT, do not upgrade to any revision of Java version 6.

Also note that, in Windows, running a Java update typically does NOT remove older versions of Java from a machine. If an unpatched version of Java is present, even if a new version has been installed, it can still contribute to an exploit. Go to Add/Remove Programs and remove old versions of Java.

For full details, and links to the relevant patches, please see

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102996-1