Monthly Archives: April 2014
Microsoft issues emergency security advisory for Internet Explorer exploit
On Monday, April 28th, 2014, Microsoft released Security Advisory 2963983 regarding an issue that impacts Internet Explorer. At this time, we are only aware of limited, targeted attacks. This security issue allows remote code execution if users visit a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.
Microsoft’s initial investigation has revealed that Enhanced Protected Mode, on by default for the modern browsing experience in Internet Explorer 10 and Internet Explorer 11 will help protect against this potential risk. Microsoft also encourages users to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additionally, everyone should exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. Additional information can be found at www.microsoft.com/protect.
Here is the information you need to know.
1. All versions of IE 6 through 11 for Windows are affected.
2. No patch is available as of today (4/28/14)
What Can I Do?
1. Do not use Microsoft’s IE (Internet Explorer) on any machine you may currently have.
2. Use an alternative browser such as Firefox.
3. When the patch is issued, it will NOT apply to XP users!
4. If you are an XP User, you should use an alternative browser-forever!
5. Think seriously about upgrading or replacing those Windows XP machines.
With the end of support for Windows XP earlier this month, we believe this is just the first of many attacks that will be targeting Windows XP.
Microsoft typically releases security patches on the first Tuesday of each month, what’s known as Patch Tuesday. The next one is Tuesday, May 6th – whether or not Microsoft will release a patch for this
vulnerability before than is still unknown. In any case – there will not be a patch released for Windows XP users.
Symantec is offering XP users a tool to protect yourself from this vulnerability which it has made available on its blog:
Please note that recommendations and quick fixes, such as the one provided above by Symantec, may not be possible for future vulnerabilities. We recommend that unsupported operating systems, such as Windows XP, be replaced with supported versions as soon as possible.
Here are three articles with additional information.
As we hear more complaints about government surveillance, companies like Google openly collect our data. If you aren’t careful, every time you log on, all your activity could be up for grabs.
Google confirmed this past week what many people had assumed all along: even if you’re not a Gmail user, your email to someone who does use their services will be scanned by the all-seeing search giant and the advertising company’s increasingly smart machines. The company has officially updated their terms of service to read:
– Our automated systems analyze your content (including e-mails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.
In the consolidated multi-district litigation brought by users in the U.S. District Court for the Northern District of California, San Jose division, the users alleged that Google had violated state and federal wiretapping laws by scanning the content of messages sent through Gmail, to serve ads to users among other things.
The court case in California over Google’s interception of email, District Judge Lucy H. Koh said that Google’s terms of service and privacy polices did not explicitly notify the plaintiffs “that Google would intercept users’ emails for the purposes of creating user profiles or providing targeted advertising.” Google’s decision to change its terms of service may have been prompted by these comments.
Always keep in mind that simply by using any of their free services (Gmail, Google search and your Google account) you are automatically agreeing to their current terms of service and authorizing them to do as they please with the data they collect.
This also applies to data or files you upload or transfer via their services according to this TOS addendum:
– Some of our Services allow you to upload, submit, store, send or receive content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.
When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.
If you’d like to see what Google can and will do about collecting personal data, here’s a link to their new terms of service:
The “Heartbleed” security bug has caused a great deal anxiety for people and businesses. Now, it appears that the computer bug is affecting not just websites, but also networking equipment including routers, switches and firewalls.
The extent of the damage caused by Heartbleed is sstill unknown. The security hole exists on a vast number of the Internet’s Web servers and went undetected for more than two years. Although it’s conceivable that the flaw was never discovered by hackers, it’s difficult to tell.
There isn’t much that people can do to protect themselves completely until the affected websites implement a fix. And in the case of networking equipment, that could be quite a while. Tech giants Cisco and Juniper have identified about 2 dozen networking devices affected by Heartlbeed including servers, routers, switches, phones and video cameras used by small and large businesses everywhere
Here are three things you can do to reduce the threat:
— Change your passwords. This isn’t a fool-proof solution. It’ll only help if the website in question has put in place the necessary security patches. You also might want to wait a week and then change them again.
— Worried about the websites you’re surfing? There’s a free add-on for the Firefox browser to check a site’s vulnerability and provide color-codes flags. Green means go and red means stop. You can download it here: https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker/
— Check the website of the company that made your home router to see if it has announced any problems. Also be diligent about downloading and installing and software updates you may receive.
The Heartbleed bug isn’t a “virus” but a security flaw. The bug can be tested for to see whether it affects a certain website. You can perform your own test here: https://filippo.io/Heartbleed