Nasty Internet-Wide Vulnerability

Last night, a new server vulnerability was disclosed on the Internet that is making shockwaves and causing large amounts of frustration and pain around the world.  Certain versions of OpenSSL, which is used to encrypt web traffic, has been discovered to have a gaping security hole which can allow a remote attacker to read the memory of a vulnerable server.  This attack can be performed remotely and without any authentication whatsoever.  More information regarding this critical vulnerability can be found at:

http://www.kb.cert.org/vuls/id/720951
http://heartbleed.com/

Wayne State C&IT because aware of this issue late last night, and immediately began an analysis to see how much of our computing environment was affected and what the potential risk would be.  Thankfully, no critical systems (Banner, Wayne Connect, Blackboard, Pipeline, WiFi, Academica) are currently at risk.

Centrally-managed servers have been addressed and/or patched at this point.  Other system administrators, including persons supporting hosted systems, have also been contacted to ensure their applications are up to date and secure.  We are running periodic scans of our computing environment to discover any systems which may need additional assistance.

We are continuing to monitor the progress of these events, and will keep the community informed of any developments.

Time to Flee Windows XP

Microsoft and the IT community have been talking about it for months (if not years), but the time is almost here where Windows XP will no longer be supported by Microsoft.  This means no new security updates or patches will ever be created – the final and last set of updates will be coming out on April 8, 2014.  At that time, no official support will be provided to problems with Windows XP, and any vulnerabilities discovered will remain unfixed until the end of time.  This is bad news, as any remaining XP systems could be easily exploited by attackers intent on stealing your data or controlling your computer.

If you have a computer that is still running Windows XP, please finalize any plans to upgrade or replace it during the next month.  Information regarding some of your options can be found here:

http://windows.microsoft.com/en-us/windows/end-support-help

Official publications regarding this situation can be found here:

https://www.us-cert.gov/ncas/alerts/TA14-069A-0

Linux GnuTLS Vulnerability

It looks like Apple is not the only big player to have issues with SSL/TLS.  The GnuTLS library is commonly used by Linux systems for secure communications, and a vulnerability (CVE-2014-0092) has been discovered with regards to certificate verification functions which may cause an attacker to view confidential information without your knowledge or authorization.  This vulnerability has been confirmed on major distributions, including Ubuntu, RHEL, Slackware and Oracle Enterprise Linux.

System administrators should patch or upgade their computer systems when possible.  This is currently classified as a medium level vulnerability, so while immediate resolution is not necessarily required, please take note and work this into your next upgrade cycle.

More information can be found at the following URLs:
http://www.securityfocus.com/bid/65919
http://www.ubuntu.com/usn/usn-2127-1/
http://rhn.redhat.com/errata/RHSA-2014-0247.html

DNSChanger

Several local and national news outlets have been reporting on the potential consequences of the DNSChanger Trojan recently, and I have fielded several inquiries about what is going on.  Here is a quick rundown on the situation:

DNSChanger is a Trojan family from 2007 that, when you got infected, changed your DNS server settings to point to other malware DNS servers, as opposed to your normal trusted ones.  The idea being, if you control a computer’s DNS settings, you can also control what comes up when you go to any particular webpage.  Infected computers were being redirected to illicit and virus-riddled websites, thus propagating the problem even further.

The FBI took this seriously, and in 2011 with the assistance of Estonian law enforcement, arrested the responsible individuals and additionally seized those rogue DNS servers and domains.  They made sure that no more malicious activity was going on, but then they came to the sad realization that the moment they power down those rogue servers, all the infected computers will be slightly borked because their programmed DNS servers will no longer respond to requests.  Originally slated for shutdown on March 8, the servers will now stay online until July 9 just so that the 100k+ infected computers don’t grind to a standstill.  Meanwhile, they are trying to get out the word for people to check their settings by going to a website such as:

http://dns-ok.us/
http://www.dcwg.org/

More information regarding the DNSChanger Trojan can be found at the following FBI publication:
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

Thankfully, none of those 100,000 infections appear to be here on Wayne State’s campus.  Network logs do not show any DNS traffic going to these malicious domains, and IT Security staff receive notifications from our ISP (Merit) when they detect DNSChanger traffic as well.  Perhaps once every two weeks I get a single notification that a student’s laptop on the Wireless is infected, but that is all.

Thankfully, I do not believe that there will that large of a negative impact when July 9 rolls around.  The “fix” for cleaning your computer of this is remarkably simple, and can usually be performed without any special tools or software.  Unfortunately, when the news hears that “the government can shut down hundreds of thousands of computers” rumors and emotions can start to flare pretty quickly.

Adobe Reader/Acrobat Security Update

Adobe has released a critical security update for the Adobe Reader and Acrobat products.  If you can view PDF files, chances are high you may be vulnerable.

To update your computer, check to see if there is a red Adobe icon down in the system tray by your clock.  It may already be trying to tell you to update! Double-click on the icon if it is there, and the following screen will appear:

Simply click “Download” or “Update”  and follow the prompts to keep your computer up-to-date.

If there is no red Adobe icon in your system tray, simply launch Adobe Reader or Acrobat, click on the “Help” menu, and select “Check for Updates…”.

When you are done with the update, you will be required to restart your computer.  Timing this with a lunch break (or any kind of break for that matter) is a good way to apply this update with the minimum amount of inconvenience.

A bug was identified where opening a specially crafted PDF file could crash your computer, or run programs without your knowledge.  Technical details regarding the vulnerability can be found at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0611