Internet, Linux, Patches and updates, Privacy, Security

Extremely critical security bug affects most of the Internet

1 Comment

A bug in the OpenSSL cryptography software running on most of the world’s servers has opened a window into random server data that was never meant to be exposed.

This newly-discovered vulnerability – now known as ‘Heartbleed’ – has apparently existed for at least two years. It’s unclear whether the bug was known to (and used by) nefarious persons to gather supposedly secure information during that time.

Patches for affected operating systems and other software that uses OpenSSL were made available almost immediately after the bug was discovered by researchers. Anyone running a Linux server is strongly advised to update the OpenSSL library ASAP.

Services that use OpenSSL to provide security are separately assessing the risk to their customers and issuing their own advisories and recommendations. For instance, Yahoo Mail is known to be vulnerable. Mojang, makers of the popular game Minecraft, advise all players to change their passwords. Ars Technica is also advising all its users to change their passwords.

This bug is so important that it has its own web page, which provides an overview of the issue and makes general recommendations.

Update 2014Apr10: The LastPass web site has some helpful information about major sites that have been affected by Heartbleed and recommends changing your passwords for those sites. They also provide a site check that allows you to determine whether a particular site was affected by Heartbleed.

Adobe, Chrome, Flash, Internet Explorer, Patches and updates, Security

Flash Player 13 released

Leave a comment

Yesterday, Adobe announced a new version of Flash, 13.0.0.182. The new version includes fixes for several security vulnerabilities (including one of the two found at Pwn2Own), as well as numerous other bug fixes and enhancements. There are also some new features, but these are mostly of interest to developers. The official release notes page has all the details.

As usual, the integrated versions of Flash in Internet Explorer 10 and 11 will be updated via Windows Update, and Chrome’s integrated Flash will be updated automatically by the browser itself.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for April 2014

Leave a comment

It’s a very special Patch Tuesday: the last one for Windows XP and Office 2003. Security vulnerabilities in those products that appear after today will not be publicly patched by Microsoft. Also losing support today is the much-despised Internet Explorer version 6.

There are four bulletins and corresponding updates this month. Two are flagged as Critical. The updates address eleven security vulnerabilities (CVEs) in Office (including Office 2003), Windows (including Windows XP), and Internet Explorer (including IE 6).

As expected, one of the updates addresses the recently-discovered vulnerability in Word’s handling of RTF documents.

The MSRC blog has a good overview of this month’s updates.

Microsoft, Patches and updates, Security, Windows XP

British and Dutch governments paying for Windows XP updates after April 8

Leave a comment

It’s long been understood that Microsoft would continue to produce updates for Windows XP after support officially ends on April 8, 2014 – for anyone willing to pay. What hasn’t been known for certain is whether anyone would actually pay.

Now, as reported by Ars Technica, the British and Dutch governments have apparently decided to delay upgrading thousands of Windows XP computers, and have contracted with Microsoft to continue supporting Windows XP.

This raises some interesting possibilities. It seems likely that at least one person who works in the British government will find a way to leak new Windows XP security updates to the rest of the world. Microsoft may have measures in place to prevent this, but people are inventive, and would probably find workarounds. Then again, would you trust a supposedly-official update that you obtained from a shady download site? One can imagine Microsoft relenting, and making the updates available to everyone, just to stop the spread of tainted updates.

Another possible scenario is that a flood of hacks, attacks and malware, all based on previously unknown Windows XP vulnerabilities, have such a huge impact on the Internet, that again Microsoft relents and makes updates available to everyone.

If Microsoft does give in and continue making updates available for everyone, what does that mean for the British and Dutch governments? Will they demand refunds from Microsoft? Each has apparently paid many millions of dollars for the updates, so it would be completely reasonable to want it back if the updates became available for free.

This is going to get interesting…

Update 2014Apr15: Add the US Internal Revenue Service to the list of organizations paying Microsoft for Windows XP support and patches.

Update 2014Apr21: Apparently Microsoft just reduced the price tag for Windows XP patches. Presumably they looked at the current Windows XP usage numbers and decided it’s less important to gouge corporate clients than it is to make sure Windows XP systems are patched.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Advance notification for April 2014 Patch Tuesday

Leave a comment

Next Tuesday is much more significant than the usual Patch Tuesday, because this crop of updates will be the last one for both Windows XP and Office 2003.

After April 8, most of the IT-enlightened world will be holding its collective breath, waiting for a likely deluge of hacks, attacks and malware based on vulnerabilities in Windows XP and Office 2003.

According to the official advance warning bulletin from Microsoft, this month’s updates will include patches for Office, Windows and Internet Explorer. Two of the patches are flagged as Critical.

One of the patches addresses the recently-discovered vulnerability in Word’s handling of RTF documents.

As usual, there’s a somewhat less technical overview of the upcoming updates on the MSRC blog.

The SANS InfoSec Handlers Diary blog has its own take on the upcoming updates.

Security

SANS Ouch! newsletter: Yes, you are a target

Leave a comment

This month’s Ouch! newsletter (PDF) from SANS should dispel any thoughts you may have regarding your digital safety.

In the networked world, if your device is connected, it is potentially vulnerable. Staying safe is largely a matter of vigilance: keep your software patched, use strong, unique passwords, and avoid opening suspicious email or browsing shady web sites.

The Ouch! newsletter is aimed at general users, so IT professionals may not learn much from reading it.

Adobe, Flash, Security

Flash vulnerabilities found at Pwn2Own

1 Comment

The recent Pwn2Own hacking competition revealed vulnerabilities in a variety of software products, including Chrome, Firefox, Internet Explorer, and Flash.

While patches for Firefox and Chrome were released soon after the results of the contest were published, the vulnerabilities in Flash remain unpatched. They are identified as CVE-2014-0506 and CVE-2014-0510. Severity is ranked as high for both vulnerabilities. No exploits for these vulnerabilities have yet been seen in the wild.

Update 2014Apr09: CVE-2014-0506 was fixed in Flash 13.0.0.182.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.