2014-04-30

IE Vulnerability in a post-WinXP Support Era

US Dept. of Homeland Security official advisory of recent Internet Explorer vulnerability affecting version 6 to 11 of the popular & default WinOS browser.

http://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being

Microsoft now has an accompanying security advisory, with many technical details and work around of using the Enhanced Security Feature of IE.

https://technet.microsoft.com/en-US/library/security/2963983

If you are on WinXP however, IE 8 the last version of Internet Explorer available to you an now patch will be released.  In this case, you should strong consider installing and using another browser such as Firefox or Google Chrome.  On WinXP computer you many want to kill IE so that it never gets used even by a user who manually invokes the application directly.

Here's how to kill IE once and for all on WinXP: http://www.runbooks.info/p/disable-internet-explorer-on-winxp.html




2014-04-08

Heartbleed Bug OpenSSL

Possible one of the most significant security bugs in recent times. Any server running OpenSSL 1.0.1 through 1.0.1f (inclusive) is vulnerable to this security threat.   As this is a common package on many Linux distros, a very large number of Internet servers, hosting everything from websites, ecommerce sites, email system, instant message, etc. are likely affected by this bug.

By exploing this memory leak the server's private key can be compromised.  The attack leave no trace. With the private key in hand, attackers could decrypt any past and future secure traffic that used/uses this key.

For the average Internet user, this potentially means that your password used to access a given secure website, (on a server affected by this bug), could be determined by anyone who has access to a copy data packets exchange between you and the "secure" server.  This could be anyone who has access to the path on which your data flows between client and web server, local network administrator, ISP, (NSA it goes without saying).    

What Happens Now:
Sys Admin will need to patch their system and get new private keys re-issued.
User should change their password on their system is fully patched and operating with new keys.

The affected version of OpenSSL are included by default in the following Linux operating system.

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)


OpenSSL Security Advisory from 07 Apr 2014 (http://www.openssl.org/news/secadv_20140407.txt)