Stanford University Home

Stanford Report Online

Stanford Report, March 17, 2004

PC users asked to download security patch

Beginning this week, campus web browsers may be automatically redirected to an Information Technology Systems and Services (ITSS) warning page if they are running on personal computers that are among the estimated 2,000 campus PCs that have not had the latest critical Windows security patch installed.

On February 10, Microsoft announced a newly discovered vulnerability in all versions of the Windows operating system, said David Hoffman, manager of information security services for ITSS. This flaw could open the door to another round of attacks much like the one the campus experienced last year with the MS Blaster and other Internet worms, he said.

Although a way for the virus to spread itself automatically throughout computer networks has not yet been seen, one could appear anytime, Hoffman said. It potentially would affect all the Windows PCs that are missing the security patch supplied by Microsoft, he said.

PC users running any version of Windows, including Windows 98, Millennium Edition, NT 4.0, 2000 or XP, should go to the ITSS Secure Computing web page (http://securecomputing.stanford.edu/win-update.html) and follow directions to install the security patch. (Even if you believe your Windows installation is completely updated, it can't hurt to apply the patch anyway, Hoffman said.) After installing the patch, you must restart your computer.

If your PC is connected to the Stanford network and is determined by ITSS network scans to be still vulnerable, any attempt by that PC to access a network external to Stanford -- such as an off-campus website -- will be redirected to an ITSS web server and the warning page will appear. The page will have instructions for installing the necessary security patch, along with a link to the patch installer itself.

The redirection will begin Wednesday on the main campus and on Monday, March 22, in the student residences.

The vulnerability is in the Windows ASN.1 library, a low-level component of the operating system. More information about the Windows ASN.1 vulnerability and computer security is available at http://securecomputing.stanford.edu.