New Critical Vulnerabilities for Internet Explorer & Flash

Microsoft has revealed that a fresh vulnerability has been discovered for all versions of Internet Explorer.  Specifically, there is a way for malicious code to run on your computer if you use Internet Explorer (Versions 6 thru 10) and visit some bad web content.  Microsoft is actively working on a security patch which should be available in a few days.  In the interim, refrain from using Internet Explorer when browsing to unknown or unfamiliar websites.  The US Department of Homeland Security is also recommending that a different browser be used until a security patch is delivered.

While these vulnerabilities are not new, this part is: Windows XP WILL NOT have a fix for this.  If you are still running Windows XP, your computer will be vulnerable to the end of time and there is no way to properly secure yourself.  Microsoft will not be providing any further support for Windows XP, so if you are still running it, today should be a sign that you should upgrade as soon as possible.

More information:
https://technet.microsoft.com/en-us/library/security/2963983.aspx
http://gizmodo.com/new-vulnerability-found-in-every-single-version-of-inte-1568383903
http://mashable.com/2014/04/27/microsoft-web-browser-security-bug-could-impact-millions-of-users

But wait, there’s more!  Unfortunately we are hit with a double-whammy today.  Adobe just came out with a critical patch for yet another zero-day vulnerability completely unrelated to the above IE exploit.  Thankfully, Adobe has a software patch available to address this issue.  Computers that have Flash (and whose doesn’t) need for it to be updated immediately.  You can check your current version of Flash – and update it as well – at the following site: http://helpx.adobe.com/flash-player.html

More info regarding the Adobe exploit:
http://helpx.adobe.com/security/products/flash-player/apsb14-13.html
http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks

Nasty Internet-Wide Vulnerability

Last night, a new server vulnerability was disclosed on the Internet that is making shockwaves and causing large amounts of frustration and pain around the world.  Certain versions of OpenSSL, which is used to encrypt web traffic, has been discovered to have a gaping security hole which can allow a remote attacker to read the memory of a vulnerable server.  This attack can be performed remotely and without any authentication whatsoever.  More information regarding this critical vulnerability can be found at:

http://www.kb.cert.org/vuls/id/720951
http://heartbleed.com/

Wayne State C&IT because aware of this issue late last night, and immediately began an analysis to see how much of our computing environment was affected and what the potential risk would be.  Thankfully, no critical systems (Banner, Wayne Connect, Blackboard, Pipeline, WiFi, Academica) are currently at risk.

Centrally-managed servers have been addressed and/or patched at this point.  Other system administrators, including persons supporting hosted systems, have also been contacted to ensure their applications are up to date and secure.  We are running periodic scans of our computing environment to discover any systems which may need additional assistance.

We are continuing to monitor the progress of these events, and will keep the community informed of any developments.