[10221] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, April 8, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Tue Apr 8 20:12:53 2014
From: Monique Buchanan <myeaton@mit.edu>
To: "ist-security-fyi@mit.edu" <ist-security-fyi@mit.edu>
Date: Wed, 9 Apr 2014 00:11:39 +0000
Message-ID: <3ACED3B2A8CEFB4598A845F07FD4A05F55F5A850@OC11EXPO24.exchange.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Cc: "itss@mit.edu" <itss@mit.edu>
Content-Type: multipart/mixed; boundary="===============1123054301=="
Errors-To: ist-security-fyi-bounces@mit.edu
--===============1123054301==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_3ACED3B2A8CEFB4598A845F07FD4A05F55F5A850OC11EXPO24excha_"
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F55F5A850OC11EXPO24excha_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Serious OpenSSL Vulnerability
2. April 2014 Security Updates from Microsoft
3. Windows XP Final Fixes Released
4. Have you signed up for Security SIG yet?
---------------------------------------------
1. Serious OpenSSL Vulnerability
---------------------------------------------
This week a serious vulnerability in the OpenSSL cryptographic software lib=
rary was discovered. This weakness, dubbed The Heartbleed Bug, allows a rem=
ote attacker to access system memory which may contain encryption keys, use=
r credentials or other sensitive information.
OpenSSL provides communication security and privacy over the Internet for m=
any applications, including web, email, instant messaging (IM) and some vir=
tual private networks (VPNs).
Fixes
Vendors are currently releasing patches to address this vulnerability. Plea=
se consult with your vendor and patch immediately.
In high risk areas (i.e. dealing with protected/regulated data) consider re=
placement of both keys and certificates. Some Certificate Authorities may c=
harge a few to issue a new certificate.
What is the risk?
This bug can leave large amounts of sensitive data exposed to attackers. Ex=
ploitation of the Heartbleed bug leaves no trace, and thus requires us to t=
ake this exposure seriously.
In a worst-case scenario, leaked encryption keys allow an attacker to decry=
pt traffic, both current and past, to the protected services. An attacker m=
ay also impersonate the service at will.
If you require any assistance, please contact security@mit.edu.
Read the full story online<http://heartbleed.com/>.
-------------------------------------------------------------
2. April 2014 Security Updates from Microsoft
-------------------------------------------------------------
Today, April 8, Microsoft is releasing four new security bulletins<http://t=
echnet.microsoft.com/en-us/security/bulletin/ms14-apr>. Two of the bulletin=
s are rated critical. Microsoft systems that will be affected:
* Windows (all current operating systems and servers)
* Internet Explorer (all supported versions)
* Microsoft Word and Office for Mac
* Microsoft Publisher 2003 and 2007
It is recommended to accept the updates. MIT WAUS<http://ist.mit.edu/waus> =
subscribers will receive the updates after they have been tested for compat=
ibility within the MIT computing environment. Installing the bulletins manu=
ally may require a restart.
One of the bulletins released today addresses the RTF (Rich Text Format) ho=
le in Word (CVE-2014-1761<http://www.sophos.com/en-us/threat-center/threat-=
analyses/vulnerabilities/VET-000590.aspx>), on all supported platforms, inc=
luding on the Mac.
-------------------------------------------------
3. Windows XP Final Fixes Released
-------------------------------------------------
Today=92s security updates from Microsoft include a final fix for Windows X=
P and Office 2003. Today marks the end of an era. Windows XP was first roll=
ed out in 2001 and was the most widely adopted operating system.
As users migrate to the newer operating systems, there will still be some o=
rganizations and individuals who run older systems and can=92t yet upgrade.=
As a result, organizations will continue to struggle with left-over Window=
s XP boxes on their networks, leaving them open to vulnerabilities and expl=
oits. The market for exploits will therefore remain into the foreseeable fu=
ture and it is recommended to keep network-based intrusion prevention solut=
ions tuned to blocking exploits, even those against Windows XP.
If you must run a Windows XP-based system, disconnect it from the Internet.=
Keep in mind that not only will Windows XP be retired, but all the softwar=
e running on that system, such as Internet Explorer and Word 2003 will no l=
onger be updated for Windows XP. Run up-to-date anti-virus software
If you are still running Windows XP and want to figure out what to do now, =
this article has some helpful tips for the current Windows XP user<http://w=
ww.computerworld.com/s/article/9247513/FAQ_Good_bye_old_pal_old_paint_Windo=
ws_XP>.
-----------------------------------------------------------
4. Have you signed up for Security SIG yet?
-----------------------------------------------------------
Security SIG is a voluntary group of MIT faculty, staff and students dedica=
ted to the free exchange of IT Security information, resources, ideas and t=
ools via on-going discussions through email.
Find out how to join here<http://kb.mit.edu/confluence/x/6VAYCQ>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Consultant
Information Services & Technology, MIT
http://ist.mit.edu/security
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F55F5A850OC11EXPO24excha_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<html dir=3D"ltr">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<style type=3D"text/css"></style><style type=3D"text/css" id=3D"owaParaStyl=
e"></style><style type=3D"text/css"></style>
</head>
<body fpstyle=3D"1" ocsi=3D"0">
<div style=3D"direction: ltr;font-family: Tahoma;color: #000000;font-size: =
10pt;">
<p class=3D"p1"><span style=3D"font-size: 10pt;">In this issue:</span></p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">1. Serious OpenSSL Vulnerability</p>
<p class=3D"p2">2. April 2014 Security Updates from Microsoft</p>
<p class=3D"p2">3. Windows XP Final Fixes Released</p>
<p class=3D"p2">4. Have you signed up for Security SIG yet?</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">---------------------------------------------</p>
<p class=3D"p2">1. Serious OpenSSL Vulnerability</p>
<p class=3D"p2">---------------------------------------------</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">This week a serious vulnerability in the OpenSSL cryptograp=
hic software library was discovered. This weakness, dubbed The Heartbleed B=
ug, allows a remote attacker to access system memory which may contain encr=
yption keys, user credentials or other
sensitive information. </p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">OpenSSL provides communication security and privacy over th=
e Internet for many applications, including web, email, instant messaging (=
IM) and some virtual private networks (VPNs).</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">Fixes</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">Vendors are currently releasing patches to address this vul=
nerability. Please consult with your vendor and patch immediately.</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">In high risk areas (i.e. dealing with protected/regulated d=
ata) consider replacement of both keys and certificates. Some Certificate A=
uthorities may charge a few to issue a new certificate.</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">What is the risk?</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">This bug can leave large amounts of sensitive data exposed =
to attackers. Exploitation of the Heartbleed bug leaves no trace, and thus =
requires us to take this exposure seriously. </p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">In a worst-case scenario, leaked encryption keys allow an a=
ttacker to decrypt traffic, both current and past, to the protected service=
s. An attacker may also impersonate the service at will.</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">If you require any assistance, please contact security@mit.=
edu.</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2"><a href=3D"http://heartbleed.com/">Read the full story onli=
ne</a>.</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">-----------------------------------------------------------=
--</p>
<p class=3D"p2">2. April 2014 Security Updates from Microsoft</p>
<p class=3D"p2">-----------------------------------------------------------=
--</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">Today, April 8, Microsoft is releasing <a href=3D"http://te=
chnet.microsoft.com/en-us/security/bulletin/ms14-apr">
<span class=3D"s1">four new security bulletins</span></a>. Two of the bulle=
tins are rated critical. Microsoft systems that will be affected:</p>
<p class=3D"p1"><br>
</p>
<ul class=3D"ul1">
<li class=3D"li2">Windows (all current operating systems and servers) </li>=
<li class=3D"li2">Internet Explorer (all supported versions) </li><li class=
=3D"li2">Microsoft Word and Office for Mac </li><li class=3D"li2">Microsoft=
Publisher 2003 and 2007 </li></ul>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">It is recommended to accept the updates. <a href=3D"http://=
ist.mit.edu/waus">
<span class=3D"s1">MIT WAUS</span></a> subscribers will receive the updates=
after they have been tested for compatibility within the MIT computing env=
ironment. Installing the bulletins manually may require a restart.</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">One of the bulletins released today addresses the RTF (Rich=
Text Format) hole in Word (<a href=3D"http://www.sophos.com/en-us/threat-c=
enter/threat-analyses/vulnerabilities/VET-000590.aspx"><span class=3D"s2">C=
VE-2014-1761</span></a>), on all supported
platforms, including on the Mac.</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">-------------------------------------------------</p>
<p class=3D"p2">3. Windows XP Final Fixes Released</p>
<p class=3D"p2">-------------------------------------------------</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">Today=92s security updates from Microsoft include a final f=
ix for Windows XP and Office 2003. Today marks the end of an era. Windows X=
P was first rolled out in 2001 and was the most widely adopted operating sy=
stem. </p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">As users migrate to the newer operating systems, there will=
still be some organizations and individuals who run older systems and can=
=92t yet upgrade. As a result, organizations will continue to struggle with=
left-over Windows XP boxes on their
networks, leaving them open to vulnerabilities and exploits. The market fo=
r exploits will therefore remain into the foreseeable future and it is reco=
mmended to keep network-based intrusion prevention solutions tuned to block=
ing exploits, even those against
Windows XP. </p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">If you must run a Windows XP-based system, disconnect it fr=
om the Internet. Keep in mind that not only will Windows XP be retired, but=
all the software running on that system, such as Internet Explorer and Wor=
d 2003 will no longer be updated for
Windows XP. Run up-to-date anti-virus software</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">If you are still running Windows XP and want to figure out =
what to do now,
<a href=3D"http://www.computerworld.com/s/article/9247513/FAQ_Good_bye_old_=
pal_old_paint_Windows_XP">
this article has some helpful tips for the current Windows XP user</a>.</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">-----------------------------------------------------------=
</p>
<p class=3D"p2">4. Have you signed up for Security SIG yet?</p>
<p class=3D"p2">-----------------------------------------------------------=
</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">Security SIG is a voluntary group of MIT faculty, staff and=
students dedicated to the free exchange of IT Security information, resour=
ces, ideas and tools via on-going discussions through email. </p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2"><a href=3D"http://kb.mit.edu/confluence/x/6VAYCQ">Find out =
how to join here</a>.</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p1"><br>
</p>
<p class=3D"p2">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p>
<p class=3D"p2">Read all archived Security FYI Newsletter articles and subm=
it comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span class=3D"s3">http://sec=
urityfyi.wordpress.com/</span></a>.</p>
<p class=3D"p2">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</p>
<div><br>
</div>
<div><br>
<div style=3D"font-family:Tahoma; font-size:13px">
<div class=3D"BodyFragment"><font size=3D"2">
<div class=3D"PlainText">Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Services & Technology, MIT<br>
http://ist.mit.edu/security</div>
</font></div>
</div>
</div>
</div>
</body>
</html>
--_000_3ACED3B2A8CEFB4598A845F07FD4A05F55F5A850OC11EXPO24excha_--
--===============1123054301==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============1123054301==--
