<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;">In this issue:</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">1. Serious OpenSSL Vulnerability</div>
<div style="margin: 0px; font-family: Helvetica;">2. April 2014 Security Updates from Microsoft</div>
<div style="margin: 0px; font-family: Helvetica;">3. Windows XP Final Fixes Released</div>
<div style="margin: 0px; font-family: Helvetica;">4. Have you signed up for Security SIG yet?</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">1. Serious OpenSSL Vulnerability</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">This week a serious vulnerability in the OpenSSL cryptographic software library was discovered. This weakness, dubbed The Heartbleed Bug, allows a remote attacker to access system memory which may contain encryption
keys, usernames, passwords or other sensitive information. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">OpenSSL provides communication security and privacy over the Internet for many applications, including web, email, instant messaging (IM) and some virtual private networks (VPNs).</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Fixes</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Vendors are currently releasing patches to address this vulnerability. Please consult with your vendor and patch immediately.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">In high risk areas (i.e. dealing with protected/regulated data) consider replacement of both keys and certificates. Some Certificate Authorities may charge a few to issue a new certificate.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">What is the risk?</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">This bug has left large amounts of sensitive data (encryption keys, usernames, passwords, etc.) exposed to attackers. Exploitation of the Heartbleed bug leaves no trace, and thus requires us to take this exposure
seriously. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">In a worst-case scenario, leaked encryption keys allow an attacker to decrypt traffic, both current and past, to the protected services. An attacker may also impersonate the service at will.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">If you require any assistance, please contact
<a href="mailto:security@mit.edu">security@mit.edu</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://heartbleed.com/">Read the full story online</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">-------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">2. April 2014 Security Updates from Microsoft</div>
<div style="margin: 0px; font-family: Helvetica;">-------------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Today, April 8, Microsoft is releasing
<a href="http://technet.microsoft.com/en-us/security/bulletin/ms14-apr">four new security bulletins</a>. Two of the bulletins are rated critical. Microsoft systems that will be affected:</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<ul>
<li style="margin: 0px; font-family: Helvetica;">Windows (all current operating systems and servers)
</li><li style="margin: 0px; font-family: Helvetica;">Internet Explorer (all supported versions)
</li><li style="margin: 0px; font-family: Helvetica;">Microsoft Word and Office for Mac
</li><li style="margin: 0px; font-family: Helvetica;">Microsoft Publisher 2003 and 2007
</li></ul>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">It is recommended to accept the updates.
<a href="http://ist.mit.edu/waus">MIT WAUS</a> subscribers will receive the updates after they have been tested for compatibility within the MIT computing environment. Installing the bulletins manually may require a restart.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">One of the bulletins released today addresses the RTF (Rich Text Format) hole in Word (<a href="http://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000590.aspx"><span style="font-size: 15px; font-family: Arial;">CVE-2014-1761</span></a>),
on all supported platforms, including on the Mac.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">-------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">3. Windows XP Final Fixes Released</div>
<div style="margin: 0px; font-family: Helvetica;">-------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Today’s security updates from Microsoft include a final fix for Windows XP and Office 2003. Today marks the end of an era. Windows XP was first rolled out in 2001 and was the most widely adopted operating system. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">As users migrate to the newer operating systems, there will still be some organizations and individuals who run older systems and can’t yet upgrade. As a result, organizations will continue to struggle with
left-over Windows XP boxes on their networks, leaving them open to vulnerabilities and exploits. The market for exploits will therefore remain into the foreseeable future and it is recommended to keep network-based intrusion prevention solutions tuned to blocking
exploits, even those against Windows XP. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">If you must run a Windows XP-based system, disconnect it from the Internet. Keep in mind that not only will Windows XP be retired, but all the software running on that system, such as Internet Explorer and Word
2003 will no longer be updated for Windows XP. Run up-to-date anti-virus software</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">If you are still running Windows XP and want to figure out what to do now,
<a href="http://www.computerworld.com/s/article/9247513/FAQ_Good_bye_old_pal_old_paint_Windows_XP">
this article has some helpful tips for the current Windows XP user</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">-----------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">4. Have you signed up for Security SIG yet?</div>
<div style="margin: 0px; font-family: Helvetica;">-----------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">Security SIG is a voluntary group of MIT faculty, staff and students dedicated to the free exchange of IT Security information, resources, ideas and tools via on-going discussions through email. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://kb.mit.edu/confluence/x/6VAYCQ">Find out how to join here</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
<div style="margin: 0px; font-family: Helvetica;">Read all archived Security FYI Newsletter articles and submit comments online at
<a href="http://securityfyi.wordpress.com/"><span style="color: rgb(4, 46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
<div><br>
</div>
<div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<br>
Monique Buchanan<br>
IT Security Communications Consultant<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href="http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
<br>
</body>
</html>