Alright, now that I have your attention, I can try to explain the slightly convoluted scenario that Microsoft has foisted onto us.
First of all, any vanilla Windows 8 systems are not affected. For the time being, systems running Windows 8 will continue to receive their updates as scheduled.
However, if you are running Windows 8.1, you will be required to install “Windows 8.1 Update” in order to meet Microsoft’s new product baseline and continue to receive security updates for your operating system. This Update (with a Capital U) is the rough equivalent of a Service Pack, and Microsoft will require this Update to be installed if you want to get any security updates published in the future.
Home users should update their systems with this “Update” by May 13 to remain supported, while enterprise customers and systems have been given a small reprieve and have until August 12 to make the same changes. If you do not patch by this time, the *only* patch available to you will be this lovely “Update” instead of anything more current. From the Microsoft website:
“…the Windows 8.1 Update is a required update to keep Windows 8.1 devices current. It will need to be installed to receive new updates from Windows Update starting on May 13th. The vast majority of these customers already have Automatic Update turned on, so they don’t need to be concerned since the update will simply install in the background prior to May 13th. For customers managing updates on their devices manually who haven’t installed the Windows 8.1 Update prior to May 13th, moving forward they will only see the option to install the Windows 8.1 Update in Windows Update. No new updates will be visible to them until they install the Windows 8.1 Update.”
Any C&IT DeskTech managed systems will be taken care of during this transition process, however due to our diverse desktop deployment I wanted to make sure that all of our campus system administrators are properly aware of this interesting wrinkle.
Microsoft has revealed that a fresh vulnerability has been discovered for all versions of Internet Explorer. Specifically, there is a way for malicious code to run on your computer if you use Internet Explorer (Versions 6 thru 10) and visit some bad web content. Microsoft is actively working on a security patch which should be available in a few days. In the interim, refrain from using Internet Explorer when browsing to unknown or unfamiliar websites. The US Department of Homeland Security is also recommending that a different browser be used until a security patch is delivered.
While these vulnerabilities are not new, this part is: Windows XP WILL NOT have a fix for this. If you are still running Windows XP, your computer will be vulnerable to the end of time and there is no way to properly secure yourself. Microsoft will not be providing any further support for Windows XP, so if you are still running it, today should be a sign that you should upgrade as soon as possible.
But wait, there’s more! Unfortunately we are hit with a double-whammy today. Adobe just came out with a critical patch for yet another zero-day vulnerability completely unrelated to the above IE exploit. Thankfully, Adobe has a software patch available to address this issue. Computers that have Flash (and whose doesn’t) need for it to be updated immediately. You can check your current version of Flash – and update it as well – at the following site: http://helpx.adobe.com/flash-player.html
More info regarding the Adobe exploit:
Last night, a new server vulnerability was disclosed on the Internet that is making shockwaves and causing large amounts of frustration and pain around the world. Certain versions of OpenSSL, which is used to encrypt web traffic, has been discovered to have a gaping security hole which can allow a remote attacker to read the memory of a vulnerable server. This attack can be performed remotely and without any authentication whatsoever. More information regarding this critical vulnerability can be found at:
Wayne State C&IT because aware of this issue late last night, and immediately began an analysis to see how much of our computing environment was affected and what the potential risk would be. Thankfully, no critical systems (Banner, Wayne Connect, Blackboard, Pipeline, WiFi, Academica) are currently at risk.
Centrally-managed servers have been addressed and/or patched at this point. Other system administrators, including persons supporting hosted systems, have also been contacted to ensure their applications are up to date and secure. We are running periodic scans of our computing environment to discover any systems which may need additional assistance.
We are continuing to monitor the progress of these events, and will keep the community informed of any developments.
Microsoft and the IT community have been talking about it for months (if not years), but the time is almost here where Windows XP will no longer be supported by Microsoft. This means no new security updates or patches will ever be created – the final and last set of updates will be coming out on April 8, 2014. At that time, no official support will be provided to problems with Windows XP, and any vulnerabilities discovered will remain unfixed until the end of time. This is bad news, as any remaining XP systems could be easily exploited by attackers intent on stealing your data or controlling your computer.
If you have a computer that is still running Windows XP, please finalize any plans to upgrade or replace it during the next month. Information regarding some of your options can be found here:
Official publications regarding this situation can be found here:
It looks like Apple is not the only big player to have issues with SSL/TLS. The GnuTLS library is commonly used by Linux systems for secure communications, and a vulnerability (CVE-2014-0092) has been discovered with regards to certificate verification functions which may cause an attacker to view confidential information without your knowledge or authorization. This vulnerability has been confirmed on major distributions, including Ubuntu, RHEL, Slackware and Oracle Enterprise Linux.
System administrators should patch or upgade their computer systems when possible. This is currently classified as a medium level vulnerability, so while immediate resolution is not necessarily required, please take note and work this into your next upgrade cycle.
If you have sent an email from your Wayne Connect account to a Hotmail, MSN, or Live.com email address within the past week, you probably had it bounce back as “undeliverable.” That’s because these email providers have flagged Wayne Connect as a source of spam.
How did this happen? It’s the result of a long chain of events:
- Spammers send phishing messages to Wayne Connect accounts. Some users — even a handful– take the bait and send in their AccessID and password
- Or, the spammers used passwords from LinkedIn accounts to break into a Wayne Connect account — because the Wayne Connect user’s passwords were identical on both systems
- Spammers use the compromised AccessIDs to send millions of spam messages
- Spam recipients report spam to Real-Time Blackhole List (RBL) services such as SpamCop
- Multiple reports to the RBL service “confirm” that Wayne Connect is a spam source, and it is placed on the RBL.
- Email providers check the RBL to make a quick decision about an incoming message that originated from Wayne Connect. If Wayne Connect is on the RBL, they bounce the message and send some cryptic info mentioning SMTP Error 550.
- Wayne Connect support staff is alerted about the RBL status; locate the compromised Wayne Connect accounts and close them down; then contact the RBL services to remove Wayne Connect’s entry.
- The RBL services wait several days to process the request, to make sure that the spam has truly stopped.
- Email resumes flowing again after Wayne Connect is removed from the RBL services.
As you can see, even if just a few people are victimized by spammers, it can spell trouble for many other Wayne Connect users. You can help by being vigilant when handling your email. Here are some good tips to remember (adapted from Microsoft’s Safety & Security Center):
- Before you click, preview a link’s web address. Move your mouse pointer over a link without clicking it. The address should appear on the bottom bar of your web browser. Official Wayne State web addresses always end in wayne.edu
- Check the spelling. Spammers often use deliberate, easily overlooked misspellings to deceive users. Examples that we have seen include wanye.edu and waney.edu
- Carefully evaluate contact information in email messages. Watch out for spelling errors or if no phone number provided. One recent phish used the non-existent email address firstname.lastname@example.org — which looks legitimate, but no phone number was provided.
If you have found a phish — report it! Just follow these simple instructions on WSU’s IT Knowledgebase.
If you’re in doubt, just leave the email message alone and contact the C&IT Help Desk 313-577-4778.
If you want to learn more ways to identify phish, check out our Is an email legitimate? guide.
Got questions? Post them below!
I was fortunate enough to be able to talk today on WDET-FM about the recent Yahoo! Voices account compromise, as well as other recent scamming trends and some simple tips on how you can make your passwords harder for intruders to guess. Take a listen:
On July 12, 2012, over 450,000 clear-text passwords were disclosed in relation to Yahoo! Voices accounts. The datafile containing this information is circulating throughout the Internet, and multiple media outlets are reporting on this situation:
You can check to see if an email address you have registered with Yahoo! Voices was part of the data breach:
If you find your email address while searching the above site, it is strongly recommended that you change your passwords *immediately*. This information is public and can be used by anyone at any time. While the above website is courteous enough to not display the disclosed password, any individual can download the datafile and view it unhindered. Hackers frequently will use credentials from one system to social engineer their way into other systems, so no account is too insignificant.
Recently, I got a chance to speak with Craig Fahle on WDET-FM about recent computer security issues occurring here on campus. We discussed an interesting “phishing expedition” recently perpetrated around Wayne State and what you can do to make your information safer:
C&IT’s security staff learned about a new form of phishing that has been spotted at several universities, and we want you to be aware of the technique that the Bad Guys are using.
A small number of people at multiple sites are getting physical mail, not email, indicating a possible security issue they should be aware of. Details are supposedly included on an enclosed DVD. Individuals targeted range from upper management to researcher/student assistant. Nobody is safe.
The DVD contains an executable you are supposed to run that contains the details. In reality it contains a trojan horse that snaps a screenshot every few seconds and uploads it to a remote command/control site. The malware runs as the user, and isn’t picked up by antivirus.
If you receive such a package, please get in contact with C&IT as soon as possible. DO NOT insert the DVD into your system. If you have any questions, please contact the C&IT Help Desk at 313-577-4778 or email@example.com