[IS&T Security-FYI] SFYI Newsletter, April 8, 2014

Tue Apr 8 17:21:59 EDT 2014

In this issue:

1. Serious OpenSSL Vulnerability
2. April 2014 Security Updates from Microsoft
3. Windows XP Final Fixes Released
4. Have you signed up for Security SIG yet?

---------------------------------------------
1. Serious OpenSSL Vulnerability
---------------------------------------------

This week a serious vulnerability in the OpenSSL cryptographic software library was discovered. This weakness, dubbed The Heartbleed Bug, allows a remote attacker to access system memory which may contain encryption keys, usernames, passwords or other sensitive information.

OpenSSL provides communication security and privacy over the Internet for many applications, including web, email, instant messaging (IM) and some virtual private networks (VPNs).

Fixes

Vendors are currently releasing patches to address this vulnerability. Please consult with your vendor and patch immediately.

In high risk areas (i.e. dealing with protected/regulated data) consider replacement of both keys and certificates. Some Certificate Authorities may charge a few to issue a new certificate.

What is the risk?

This bug has left large amounts of sensitive data (encryption keys, usernames, passwords, etc.) exposed to attackers. Exploitation of the Heartbleed bug leaves no trace, and thus requires us to take this exposure seriously.

In a worst-case scenario, leaked encryption keys allow an attacker to decrypt traffic, both current and past, to the protected services. An attacker may also impersonate the service at will.

If you require any assistance, please contact security at mit.edu<mailto:security at mit.edu>.

Read the full story online<http://heartbleed.com/>.

-------------------------------------------------------------
2. April 2014 Security Updates from Microsoft
-------------------------------------------------------------

Today, April 8, Microsoft is releasing four new security bulletins<http://technet.microsoft.com/en-us/security/bulletin/ms14-apr>. Two of the bulletins are rated critical. Microsoft systems that will be affected:

  *   Windows (all current operating systems and servers)
  *   Internet Explorer (all supported versions)
  *   Microsoft Word and Office for Mac
  *   Microsoft Publisher 2003 and 2007

It is recommended to accept the updates. MIT WAUS<http://ist.mit.edu/waus> subscribers will receive the updates after they have been tested for compatibility within the MIT computing environment. Installing the bulletins manually may require a restart.

One of the bulletins released today addresses the RTF (Rich Text Format) hole in Word (CVE-2014-1761<http://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000590.aspx>), on all supported platforms, including on the Mac.

-------------------------------------------------
3. Windows XP Final Fixes Released
-------------------------------------------------

Today’s security updates from Microsoft include a final fix for Windows XP and Office 2003. Today marks the end of an era. Windows XP was first rolled out in 2001 and was the most widely adopted operating system.

As users migrate to the newer operating systems, there will still be some organizations and individuals who run older systems and can’t yet upgrade. As a result, organizations will continue to struggle with left-over Windows XP boxes on their networks, leaving them open to vulnerabilities and exploits. The market for exploits will therefore remain into the foreseeable future and it is recommended to keep network-based intrusion prevention solutions tuned to blocking exploits, even those against Windows XP.

If you must run a Windows XP-based system, disconnect it from the Internet. Keep in mind that not only will Windows XP be retired, but all the software running on that system, such as Internet Explorer and Word 2003 will no longer be updated for Windows XP. Run up-to-date anti-virus software

If you are still running Windows XP and want to figure out what to do now, this article has some helpful tips for the current Windows XP user<http://www.computerworld.com/s/article/9247513/FAQ_Good_bye_old_pal_old_paint_Windows_XP>.

-----------------------------------------------------------
4. Have you signed up for Security SIG yet?
-----------------------------------------------------------

Security SIG is a voluntary group of MIT faculty, staff and students dedicated to the free exchange of IT Security information, resources, ideas and tools via on-going discussions through email.

Find out how to join here<http://kb.mit.edu/confluence/x/6VAYCQ>.

=======================================================================================
Read all archived Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
=======================================================================================

Monique Buchanan
IT Security Communications Consultant
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20140408/7f37b11b/attachment.htm