ITS IA Advisory: Update for Shibboleth Service Providers


This message is intended for Shibboleth Service Providers (SPs)

The XMLTooling library in OpenSAML and Shibboleth Service Provider software contains a server-side request forgery (SSRF) vulnerability. Update to version 3.2.4 or later of the XMLTooling library to fix the vulnerability.

ALERT: Apply Emergency Update to Chrome


A vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution. Patches to Google Chrome should be applied immediately after appropriate testing.

Help Me Now and UH South Paging Services Offices closed on Memorial Day


HITS walk-up support will be closed on Monday, May 29.

NOTICE: Beware of Phishing Emails Targeting Students


Highly customized email scams continue to target students at U-M with offers of jobs, internships, accommodations, and more. 

ITS IA Alert: Apply emergency update to Google Chrome browser–No manual steps needed for CoreImage users


A zero-day vulnerability has been discovered in the Google Chrome browser that could allow for remote code execution. There are no manual steps any CoreImage user should take for this.

Working offsite? Connect your CoreImage device to VPN by May 15 to maintain network access.


Flexible work is a great Michigan Medicine perk. But if you're not coming onsite regularly, you may not be getting all of the software and security updates your CoreImage PC needs.

Security, Services & Support

Customers may have issues viewing or accessing M365 web applications (at


NOTE: This issue has been resolved. If you experience any problems using M365 tools or services, please submit a ticket via the Help Center.

ITS Information Assurance alert: Update WordPress Elementor Pro plug-in for vulnerability


A vulnerability in Elementor Pro, a widely used WordPress plugin, is actively being exploited by threat actors. Apply the latest updates to Elementor Pro immediately after appropriate testing.

ALERT: Update Progress Telerik against active exploit


This message was sent to U-M IT groups on Tuesday, 3/21/23. It is intended for U-M IT staff who are responsible for university web servers that use the Progress Telerik User Interface for the .NET framework that runs on Windows.

New! Find IT and data info on the Research Project Process Map


The ‘IT and Data’ brown line guides researchers through IT security processes via the Research Project Route Map. 

Education, Research, Security

Doublecheck your data: is it safely stored?



As HITS prepares for a CoreImage system update, we remind users to save all data to the cloud or other secure storage.

Clinical, Education, Research, Security, Services & Support

Trouble in two-factor paradise: Hackers double down on Duo scams


Duo, U-M’s two-factor authentication service, has become the latest technology targeted by hackers. Earlier this month, leaders in Michigan Medicine’s Information Assurance (MM:IA) team rang the alarm bell.

Daylight Saving Time Begins - Effect on MiChart: Sunday, March 12, 2 a.m.


Sunday, March 12 marks the beginning of Eastern Daylight-Saving Time (DST) which will result in skipping the hour from 2 a.m. to 3 a.m. Once the time change occurs, this means the MiChart downtime for the upgrade will begin at 3 a.m. 


For details on the impacts to MiChart, review the Spring 2023 - Daylight Saving Time (DST) document.

Clinical, Education, Research, Security, Services & Support

New monthly Cornerstone Learning report will enable Michigan Medicine leaders to track their teams' training completions


Starting March 1, a new Cornerstone Learning report (“Manager Digest”) will be emailed to all Michigan Medicine leaders automatically each month – whenever any of their direct reports has assigned training modules that are overdue.


HITS to upgrade/replace telephone equipment in multiple locations


Between now and fall 2023, Health Information Technology & Services (HITS) will replace approximately 8,750 telephones across 50 different Michigan Medicine locations.

Invoke Microsoft Security Advisory for LDAP Channel Binding and Signing


LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers.

ITS Information Assurance Advisory: Update to version 2.17.0 Apache Log4j


A zero-day exploit that was originally communicated through an IA Alert on December 10, 2021 is affecting the Apache Log4j utility that could result in remote code execution. This remains an active threat. 


ALERT: Patching Microsoft systems for 3 zero-day exploits


Three zero-day vulnerabilities in Windows systems could allow attackers to achieve remote code execution or SYSTEM privileges on targeted systems. Windows systems should be patched as soon as possible after needed testing.

ITS IA Notice: OpenSSL


This message is intended for U-M IT staff who are responsible for updating university systems. OpenSSL discovered eight security flaws, seven of which are memory-related. A timing bug and seven memory vulnerabilities were discovered.

Action required before January 25: Applications using Michigan Medicine SSO (SAML) Identity Provider Service


The Production IdP Signing certificate for the Michigan Medicine Web SSO (SAML) / Access Manager / Web login authentication service will be replaced on January 25 between 5:00 p.m. to 5:30 p.m. and the SAML metadata will be refreshed with the new signing cert info.

ITS IA Advisory: Upgrade Git to version 2.39.1


Vulnerabilities were discovered in Git version 2.39 and older that could allow attackers to execute remote code. Users should upgrade to Git version 2.39.1 immediately. 


New year, new M365 features!


Health Information Technology & Services (HITS) is pleased to announce new features and capabilities within Michigan Medicine’s Microsoft 365 (M365) environment designed to make your work experience even better and more productive!

Clinical, Education, Research, Services & Support

Update: Fax Server/AccuRoute Issues


Thank you to everyone for their patience and understanding over the last five weeks. The Document Management Services Team also want you to know that they hear you loud and clear and are doing absolutely everything they can to help resolve the issues the organization is experiencing with the fax server/AccuRoute WebApps.


Paging website upgrade


As of December 7, the internal paging website was upgraded to offer improved access and usability.


For complete information, see the Paging Website upgrade article (Requires login to view content

Clinical, Education, Research, Security, Services & Support

Academic Engagement holding in-person office hours December 6,7, & 8


Back by popular demand! The HITS Academic Engagement team is holding in-person/hybrid office hours next week to talk through your IT needs. Join us on the medical campus December 6 & 8 and at NCRC December 7. 

Education, Research