[10220] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, April 8, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Tue Apr 8 17:23:25 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Tue, 8 Apr 2014 21:21:59 +0000
Message-ID: <ABC5E527-78E2-4F12-953A-D7C5E2777B54@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1566185305=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============1566185305==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_ABC5E52778E24F12953AD7C5E2777B54mitedu_"
--_000_ABC5E52778E24F12953AD7C5E2777B54mitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Serious OpenSSL Vulnerability
2. April 2014 Security Updates from Microsoft
3. Windows XP Final Fixes Released
4. Have you signed up for Security SIG yet?
---------------------------------------------
1. Serious OpenSSL Vulnerability
---------------------------------------------
This week a serious vulnerability in the OpenSSL cryptographic software lib=
rary was discovered. This weakness, dubbed The Heartbleed Bug, allows a rem=
ote attacker to access system memory which may contain encryption keys, use=
rnames, passwords or other sensitive information.
OpenSSL provides communication security and privacy over the Internet for m=
any applications, including web, email, instant messaging (IM) and some vir=
tual private networks (VPNs).
Fixes
Vendors are currently releasing patches to address this vulnerability. Plea=
se consult with your vendor and patch immediately.
In high risk areas (i.e. dealing with protected/regulated data) consider re=
placement of both keys and certificates. Some Certificate Authorities may c=
harge a few to issue a new certificate.
What is the risk?
This bug has left large amounts of sensitive data (encryption keys, usernam=
es, passwords, etc.) exposed to attackers. Exploitation of the Heartbleed b=
ug leaves no trace, and thus requires us to take this exposure seriously.
In a worst-case scenario, leaked encryption keys allow an attacker to decry=
pt traffic, both current and past, to the protected services. An attacker m=
ay also impersonate the service at will.
If you require any assistance, please contact security@mit.edu<mailto:secur=
ity@mit.edu>.
Read the full story online<http://heartbleed.com/>.
-------------------------------------------------------------
2. April 2014 Security Updates from Microsoft
-------------------------------------------------------------
Today, April 8, Microsoft is releasing four new security bulletins<http://t=
echnet.microsoft.com/en-us/security/bulletin/ms14-apr>. Two of the bulletin=
s are rated critical. Microsoft systems that will be affected:
* Windows (all current operating systems and servers)
* Internet Explorer (all supported versions)
* Microsoft Word and Office for Mac
* Microsoft Publisher 2003 and 2007
It is recommended to accept the updates. MIT WAUS<http://ist.mit.edu/waus> =
subscribers will receive the updates after they have been tested for compat=
ibility within the MIT computing environment. Installing the bulletins manu=
ally may require a restart.
One of the bulletins released today addresses the RTF (Rich Text Format) ho=
le in Word (CVE-2014-1761<http://www.sophos.com/en-us/threat-center/threat-=
analyses/vulnerabilities/VET-000590.aspx>), on all supported platforms, inc=
luding on the Mac.
-------------------------------------------------
3. Windows XP Final Fixes Released
-------------------------------------------------
Today=92s security updates from Microsoft include a final fix for Windows X=
P and Office 2003. Today marks the end of an era. Windows XP was first roll=
ed out in 2001 and was the most widely adopted operating system.
As users migrate to the newer operating systems, there will still be some o=
rganizations and individuals who run older systems and can=92t yet upgrade.=
As a result, organizations will continue to struggle with left-over Window=
s XP boxes on their networks, leaving them open to vulnerabilities and expl=
oits. The market for exploits will therefore remain into the foreseeable fu=
ture and it is recommended to keep network-based intrusion prevention solut=
ions tuned to blocking exploits, even those against Windows XP.
If you must run a Windows XP-based system, disconnect it from the Internet.=
Keep in mind that not only will Windows XP be retired, but all the softwar=
e running on that system, such as Internet Explorer and Word 2003 will no l=
onger be updated for Windows XP. Run up-to-date anti-virus software
If you are still running Windows XP and want to figure out what to do now, =
this article has some helpful tips for the current Windows XP user<http://w=
ww.computerworld.com/s/article/9247513/FAQ_Good_bye_old_pal_old_paint_Windo=
ws_XP>.
-----------------------------------------------------------
4. Have you signed up for Security SIG yet?
-----------------------------------------------------------
Security SIG is a voluntary group of MIT faculty, staff and students dedica=
ted to the free exchange of IT Security information, resources, ideas and t=
ools via on-going discussions through email.
Find out how to join here<http://kb.mit.edu/confluence/x/6VAYCQ>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_ABC5E52778E24F12953AD7C5E2777B54mitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <026D45992A4749439F990B8E5D0A1A76@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;">In th=
is issue:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Serious OpenSSL Vuln=
erability</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. April 2014 Security =
Updates from Microsoft</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Windows XP Final Fix=
es Released</div>
<div style=3D"margin: 0px; font-family: Helvetica;">4. Have you signed up f=
or Security SIG yet?</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Serious OpenSSL Vuln=
erability</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">This week a serious vul=
nerability in the OpenSSL cryptographic software library was discovered. Th=
is weakness, dubbed The Heartbleed Bug, allows a remote attacker to access =
system memory which may contain encryption
keys, usernames, passwords or other sensitive information. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">OpenSSL provides commun=
ication security and privacy over the Internet for many applications, inclu=
ding web, email, instant messaging (IM) and some virtual private networks (=
VPNs).</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Fixes</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Vendors are currently r=
eleasing patches to address this vulnerability. Please consult with your ve=
ndor and patch immediately.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">In high risk areas (i.e=
. dealing with protected/regulated data) consider replacement of both keys =
and certificates. Some Certificate Authorities may charge a few to issue a =
new certificate.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">What is the risk?</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">This bug has left large=
amounts of sensitive data (encryption keys, usernames, passwords, etc.) ex=
posed to attackers. Exploitation of the Heartbleed bug leaves no trace, and=
thus requires us to take this exposure
seriously. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">In a worst-case scenari=
o, leaked encryption keys allow an attacker to decrypt traffic, both curren=
t and past, to the protected services. An attacker may also impersonate the=
service at will.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">If you require any assi=
stance, please contact
<a href=3D"mailto:security@mit.edu">security@mit.edu</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://heart=
bleed.com/">Read the full story online</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. April 2014 Security =
Updates from Microsoft</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Today, April 8, Microso=
ft is releasing
<a href=3D"http://technet.microsoft.com/en-us/security/bulletin/ms14-apr">f=
our new security bulletins</a>. Two of the bulletins are rated critical. Mi=
crosoft systems that will be affected:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<ul>
<li style=3D"margin: 0px; font-family: Helvetica;">Windows (all current ope=
rating systems and servers)
</li><li style=3D"margin: 0px; font-family: Helvetica;">Internet Explorer (=
all supported versions)
</li><li style=3D"margin: 0px; font-family: Helvetica;">Microsoft Word and =
Office for Mac
</li><li style=3D"margin: 0px; font-family: Helvetica;">Microsoft Publisher=
2003 and 2007
</li></ul>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">It is recommended to ac=
cept the updates.
<a href=3D"http://ist.mit.edu/waus">MIT WAUS</a> subscribers will receive t=
he updates after they have been tested for compatibility within the MIT com=
puting environment. Installing the bulletins manually may require a restart=
.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">One of the bulletins re=
leased today addresses the RTF (Rich Text Format) hole in Word (<a href=3D"=
http://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/V=
ET-000590.aspx"><span style=3D"font-size: 15px; font-family: Arial;">CVE-20=
14-1761</span></a>),
on all supported platforms, including on the Mac.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">3. Windows XP Final Fix=
es Released</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
--------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Today=92s security upda=
tes from Microsoft include a final fix for Windows XP and Office 2003. Toda=
y marks the end of an era. Windows XP was first rolled out in 2001 and was =
the most widely adopted operating system. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">As users migrate to the=
newer operating systems, there will still be some organizations and indivi=
duals who run older systems and can=92t yet upgrade. As a result, organizat=
ions will continue to struggle with
left-over Windows XP boxes on their networks, leaving them open to vulnera=
bilities and exploits. The market for exploits will therefore remain into t=
he foreseeable future and it is recommended to keep network-based intrusion=
prevention solutions tuned to blocking
exploits, even those against Windows XP. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">If you must run a Windo=
ws XP-based system, disconnect it from the Internet. Keep in mind that not =
only will Windows XP be retired, but all the software running on that syste=
m, such as Internet Explorer and Word
2003 will no longer be updated for Windows XP. Run up-to-date anti-virus s=
oftware</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">If you are still runnin=
g Windows XP and want to figure out what to do now,
<a href=3D"http://www.computerworld.com/s/article/9247513/FAQ_Good_bye_old_=
pal_old_paint_Windows_XP">
this article has some helpful tips for the current Windows XP user</a>.</di=
v>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">4. Have you signed up f=
or Security SIG yet?</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
------------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Security SIG is a volun=
tary group of MIT faculty, staff and students dedicated to the free exchang=
e of IT Security information, resources, ideas and tools via on-going discu=
ssions through email. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://kb.mi=
t.edu/confluence/x/6VAYCQ">Find out how to join here</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div><br>
</div>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<br>
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
<br>
</body>
</html>
--_000_ABC5E52778E24F12953AD7C5E2777B54mitedu_--
--===============1566185305==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1566185305==--
