Campus Alerts

A critical zero-day vulnerability in Google Chrome, Microsoft Edge, and Mozilla Firefox may lead to arbitrary code execution. The vulnerability is a heap buffer overflow in the encoding of VP8 video in the libvpx video codec library used by each browser. Google states this vulnerability is being actively exploited. Patch now. For Google Chrome: To check if your browser is updated, navigate to Settings > Help > About Google Chrome or chrome://settings/help in the address bar. If your Chrome browser is listed as 117.0.5938.132 or higher, you are protected. For Microsoft Edge: To check if your browser is updated, navigate to Menu > Help and Feedback > About Microsoft Edge, or edge://settings/help in the address bar. If your Edge browser is listed as 117.0.2045.47 or higher, you are protected. For Mozilla Firefox: To check if your browser is updated, navigate to Settings > Help > About Firefox. If your Firefox browser is listed as either Firefox 118.0.1 or higher, or Firefox ESR 115.3.1 or higher, you are protected. Users should apply the following updates: • Google Chrome: 117.0.5938.132 or higher • Microsoft Edge: 117.0.2045.47 or higher • Mozilla Firefox: 118.0.1 or higher • Mozilla Firefox ESR: 115.3.1 or higher Certified Desktop customers: • Windows: Patches will automatically be installed via SecTeer VulnDetect. • macOS: Patches for Google Chrome, Mozilla Firefox, and Mozilla Firefox ESR will be available today, Monday, October 2 with a deadline of approximately 4:00 pm on Tuesday, October 3. Users who do not have a managed computer and macOS Microsoft Edge users should check for updates and install them. References: Google Chrome Releases: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html Release Notes for Microsoft Edge Security Updates: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security Mozilla Foundation Security Advisory 2023-44: https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ Ars Technica: https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/

Between September 19 and November 12, 2023, IDM will be upgrading some of the domain controllers for cornell.edu Active Directory domain. The upgrade process will involve decommissioning one domain controller at a time and replacing it with a new domain controller with same name and IP address. This work will be performed during business hours and is expected to be completed with the same day. No service outage is anticipated as the change will affect only one domain controller at a time. However, if an application or service is configured to use a single domain controller, that application or service might be impacted when the specific domain controller is being worked on. Please be mindful of the maintenance dates below and plan to change the configuration to use another domain controller before the planned maintenance: 9/19: AD9 9/21: AD10 9/26: AD2 9/28: AD3 10/3: AD4 10/5: AD5 10/10: AD19 10/12: AD20 If you are using any of the DNS round-robin names such as query.ad.cornell.edu, awsquery.ad.cornell.edu or azquery.ad.cornell.edu, no action is required as CIT will update these records to exclude the domain controller before starting maintenance. We don't anticipate any impact, but just be aware that this will be done before the change. If you experience any issues with Active Directory during the maintenance due to decommissioning a domain controller, please contact the IT Service Help Desk.