(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Just how bad is 'Heartbleed'?
Business Spectator
According to Ty Miller, founder and CEO of infosec firm Threat Intelligence, there may be up to 117,000 vulnerable web servers using a vulnerable version of SSL. Miller adds that the actual number of vulnerable systems will be far greater since this ...

and more »
Apple began to lay out its $2.2 billion damages claim against Samsung Electronics for the first time on Tuesday, arguing to an eight-person jury in California that Samsung's alleged patent infringement was large and significantly damaged Apple.
Intel and SGI have been testing a supercomputer that's kept cool by submerging the electronics completely in fluid, a system they say can dramatically reduce energy bills.

Cimcor to Sponsor & Attend Central Ohio ISSA Information Security Summit
Insurance News Net (press release)
InfoSec Management Cimcor has a long history of supporting information security organizations such as ISSA. According to Mike Moskalick , regional sales manager for CimTrak, "we actively seek to partner with organizations such as the ISSA. They provide ...

and more »

For more than two years, the Internet's most popular implementation of the Transport Layer Security (TLS) protocol has contained a critical defect that allowed attackers to pluck passwords, authentication cookies, and other sensitive data out of the private server memory of websites. Ars was among the millions of sites using the OpenSSL library, and that means we too were bitten by this extraordinarily nasty bug.

By mid morning Tuesday, Ars engineers already updated OpenSSL and revoked and replaced our site's old TLS certificate. That effectively plugged the hole created by the vulnerability. By installing the OpenSSL update, attackers could no longer siphon sensitive data out of our server memory. And although there's no evidence the private encryption key for Ars' previous TLS certificate was compromised, the replacement ensured no one could impersonate the site in the event hackers obtained the key.

With Ars servers fully updated, it's time to turn our attention to the next phase of recovery. In the hours immediately following the public disclosure of the so-called Heartbleed vulnerability, several readers reported their Ars accounts were hijacked by people who exploited the bug and obtained other readers' account passwords. There's no way of knowing if compromises happened earlier than that. Ars has no evidence such hacks did occur, but two years is a long time. There's simply no way of ruling out the possibility.

Read 2 remaining paragraphs | Comments

It's not uncommon for ERP projects to take longer and cost more money than initially planned, but neither outcome ended up being on the menu for fast-food giant Wendy's recent Oracle E-Business Suite upgrade.
This month's "Patch Tuesday" includes the final round of security fixes Microsoft will issue for Windows XP, potentially leaving millions that continue to use the OS open to attack.
Since news of the OpenSSL bug started to spread on Monday, administrators and vendors have made a mad scramble to patch the Heartbleed bug, named for the flawed implementation of the heartbeat option in the cryptographic library.
PrestaShop Socolissimo Module Multiple Cross Site Scripting Vulnerabilities
WordPress CMS Tree Page View Plugin 'cms_tpv_view' Parameter Cross Site Scripting Vulnerability
Apache Tomcat CVE-2013-4322 Incomplete Fix Denial of Service Vulnerability

Overview of the April 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS14-017 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution
(Replaces MS14-001 )
Microsoft Word
KB 2949660 . Severity:Critical
Exploitability: 1
Critical Important
MS14-018 Cumulative Security Update for Internet Explorer
(Replaces MS14-012 )
Internet Explorer
KB 2950467 . Severity:Critical
Exploitability: 1
Critical Important
MS14-019 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution
(Replaces MS12-081 )
KB 2922229 . Severity:Important
Exploitability: 1
Important Important
MS14-020 Vulnerability in Microsoft Publisher Could Allow Remote Code Execution
(Replaces MS13-042 )
Microsoft Publisher
KB 2950145 . Severity:Important
Exploitability: 1
Important Important
lign: center;"> We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Several U.S. lawmakers on Tuesday urged the nation's attorney general to curtail the National Security Agency's collection of overseas electronic communications, saying President Barack Obama's promise to revamp a surveillance program focused on U.S. telephone records didn't go far enough.
Adobe Flash Player Use After Free Remote Code Execution Vulnerability
[SECURITY] [DSA 2897-1] tomcat7 security update
LinuxSecurity.com: A vulnerability in Crack might allow remote attackers to execute arbitrary code.
LinuxSecurity.com: A use-after-free error in OptiPNG could result in execution of arbitrary code or Denial of Service.
LinuxSecurity.com: A malicious server could bypass OpenSSH SSHFP DNS record checking.

Lest readers think "catastrophic" is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet's Web servers, consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services.

The two-year-old bug is the result of a mundane coding error in OpenSSL, the world's most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications. The result of a missing bounds check in the source code, Heartbleed allows attackers to recover large chunks of private computer memory that handle OpenSSL processes. The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers. The returned contents could include something as banal as a time stamp, or it could return far more valuable assets such as authentication credentials or even the private key at the heart of a website's entire cryptographic certificate.

Underscoring the urgency of the problem, a conservatively estimated two-thirds of the Internet's Web servers use OpenSSL to cryptographically prove their legitimacy and to protect passwords and other sensitive data from eavesdropping. Many more e-mail servers and end-user computers rely on OpenSSL to encrypt passwords, e-mail, instant messages, and other sensitive data. OpenSSL developers have released version 1.0.1g that readers should install immediately on any vulnerable machines they maintain. But given the stakes and the time it takes to update millions of servers, the risks remain high.

Read 7 remaining paragraphs | Comments

LinuxSecurity.com: New openssl packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Multiple Information Disclosure vulnerabilities in OpenSSL allow remote attackers to obtain sensitive information via various vectors.
LinuxSecurity.com: Multiple vulnerabilities in Mesa could result in execution of arbitrary code or Denial of Service.
LinuxSecurity.com: Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
LinuxSecurity.com: USN-2124-1 introduced a regression in OpenJDK 6.
LinuxSecurity.com: OpenSSL could be made to expose sensitive information over the network,possibly including private keys.
LinuxSecurity.com: Multiple vulnerabilities have been found in OpenAFS, worst of which can allow attackers to execute arbitrary code
LinuxSecurity.com: Security Report Summary
HP SiteScope 'loadFileContents' SOAP Request Remote Code Execution Vulnerability
Microsoft Word CVE-2014-1761 Remote Memory Corruption Vulnerability
Linux Kernel 'handle_rx()' Function Denial of Service Vulnerability
HP Application Information Optimizer CVE-2013-6203 Remote Code Execution Vulnerability
BlackBerry Z 10 - Buffer Overflow in qconnDoor [MZ-13-05]
Microsoft will deliver the much-awaited update to Windows 8.1 Tuesday, and with it comes a packed goody bag of treats for laptop and PC users.
More inexpensive Android tablets with prices from US$129 to $249 are coming from Lenovo.

SANS's lead author Dr. Eric Cole to be honoured at Infosecurity Europe 2014
On 1st May at 10:00am, Dr. Cole will offer a presentation at the InfoSec Europe “Keynote Theatre” which will provide a candid view of the current state of the industry and emerging threat landscape. In addition, Dr. Cole is available to the press and ...

Apple QuickTime CVE-2014-1251 Remote Buffer Overflow Vulnerability
Novell ZENworks Configuration Management CVE-2013-3706 Directory Traversal Vulnerability
Launched in October 2001, today (really) marks the end of support for the Windows XP operating system. As the 12+ year run of Windows XP comes to an end, it holds some curious lessons.

It's finally here. After 12 years, 6 months, and 12 days on the market, Windows XP has hit its end of life. It will receive its last ever set of patches on Windows Update today (or "Woo" as Microsoft remarkably pronounces it internally), and for the most part, that will be that. Any flaws discovered from now on—and it's inevitable that some will be discovered—will never be publicly patched.

How bad is this going to be? It's probably going to be pretty bad. By some measures, about 28 percent of the Web-using public is still using Windows XP, and these systems are going to be ripe for exploitation.

While we can hope that personal firewalls and NAT systems will prevent any kind of Code Red or Nimda-style self-propagating worm from infecting these systems, exploitation through the likes of malicious e-mail attachments, Office documents, USB keys, and browsers is inevitable.

Read 14 remaining paragraphs | Comments

[SECURITY] [DSA 2896-2] openssl security update
Windows 8.1 users have a narrow window to upgrade to Windows 8.1 Update, the refresh that begins rolling out to customers today, to continue receiving future bug fixes, patches and enhancements.
If you thought you'd spend part of today signing up to attend this year's Google I/O, think again.
Cue the hyperbole and clapping monkeys. Today brings news to the screens of security folks the world over that OpenSSL has an OMG ZERO DAY AUUGGGGGHHHHH...oh, wait, there's a fix.
Google is looking to push its wearable computer Glass into the enterprise.
The Micro is being touted by its inventors as the first true mainstream 3D printer; apparently, people donating to the Kickstarter project agree.
Ever wish you could get your hands on the software that NASA used to launch its Apollo lunar missions or to get robots working on Mars? If so, NASA has something for you.
Multiple FRITZ!Box Products Unspecified Security Bypass Vulnerability
Computer security experts are advising administrators to patch a severe flaw in a software library used by millions of websites to encrypt sensitive communications.
In large-scale organizations, implementing mobile device management (MDM) is typically given. After all, with so many employees using mobile devices that either contain or connect to sources of sensitive information, there needs to be some way to keep everything in check. But what about those companies that aren't big enough to be able to afford an MDM implementation and a full-sized IT department to manage it? Without a means to centralize the control of mobile devices, how can these smaller companies protect their data?
Today's the day: Microsoft will serve up its final public patches for Windows XP, the aging OS that's been around since 2001.
In an attempt to block email spoofing attacks on yahoo.com addresses, Yahoo began imposing a stricter email validation policy that unfortunately breaks the usual workflow on legitimate mailing lists.
OpenSSL TLS 'heartbeat' Extension Information Disclosure Vulnerability
RARLAB WinRAR File Extension Spoofing Vulnerability
Open-Xchange Security Advisory 2014-04-08

(this article is work in progress and will be updated as we have new information. Also see the comments for links to signatures and other information provided by readers)

We decided to go to Infocon Yellow to alert readers of this vulenrability.

For those of you using OpenSSL 1.0.1 (most recent Unix systems), it is critical that you patch the openssl library, as well as binaries compiled statically with openssl, as soon as possible. [1] 

The attack will allow a remote attacker to read up to 64kBytes of system memory from your system per attack attempt. The attack works against servers as well as against clients. While not all software using SSL necessarily uses the OpenSSL library, many do. (see our prior diary)

A proof of concept exploit has been made available and I have tested it. It can be used to remotely scan for vulnerable systems. [1] We have not yet detected wide spread use of the exploit, but it is literally hours old. At this point, we don't think the vulnerability was known in the underground before the official release, but it is possible.

What should you do first:

Check if you are vulnerable. "openssl version -a" will return the version information. If your version is 1.0.1, you MAY be vulnerable. Only version 1.0.1g is NOT vulnerable. Other major versions (0.9x, 1.0.0 ...) are not vulnerable. 

Rule of thumb: If you are using OpenSSL, and if you are supporting TLS 1.2 (check ssllabs.com) , then you are vulnerable unless patched.

If I am vulnerable, what should I do:

Patch! Ubuntu, CentOS and others have patches available. OS X Mavericks has NO PATCH available. Windows is likely not vulnerable, but if you are running open source software like Apache that uses OpenSSL, then you may be vulnerable.

You may want to consider replacing SSL certificates if you are afraid that the exploit was already used against your site. But the exploit is not limited to secret SSL key. All data in memory is potentially at risk.

Can I test remotely?

The PoC exploit above can be used to scan your network remotely.

How Can I Tell if Someone is Using the Exploit Against Me

We don't have IDS signatures (yet... wait for updates here). There is no log entry in your web server log as the exploit happens after the SSL session is established, and before the HTTP request is sent.

nginx, after being patched, logs the following from the PoC exploit:

2014/04/08 12:37:18 [info] 4151#0: *724561 peer closed connection in SSL handshake while SSL handshaking, client:, server:


[1] http://heartbleed.com
[2] http://s3.jspenguin.org/ssltest.py

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
In-flight Internet access provider Gogo is working on a service that will increase the maximum data speed on planes to 70Mbps.
[SECURITY] [DSA 2896-1] openssl security update
[security bulletin] HPSBST02980 rev.1 - HP Array Configuration Utility, HP Array Diagnostics Utility, HP ProLiant Array Diagnostics and SmartSSD Wear Gauge Utility Running on Linux, Local Elevation of Privilege
IBM Platform Symphony Developer Edition Privilege Escalation Vulnerability
Bluetooth Text Chat v1.0 iOS - Code Execution Vulnerability
Employees can unintentionally share more than their employers want anyone to know.
Samsung Electronics on Tuesday warned that it would post a drop in operating profit during the first quarter of 2014.
A jury in Florida has decided in favor of BlackBerry in a patent dispute with NXP.
China is requiring Microsoft and Nokia to make promises on fair patent use, fearing that the proposed acquisition between the two companies could spell trouble for the nation's Android device makers.
The Fluke Networks LinkSprinter makes on-the-fly network testing quick, easy, and more affordable than ever
OpenAFS Multiple Remote Security Vulnerabilities
OpenAFS CVE-2013-1795 Remote Integer Overflow Vulnerability

You can play Flappy Bird on a POINT OF SALE TERMINAL
Mobile Point of Sale (MPOS) devices can be easily hacked and leave banks and retailers wide open to fraud, warn infosec researchers. Security researchers from MWR InfoSecurity, the same security firm that researched serious vulnerabilities in chip-and ...

and more »

Posted by InfoSec News on Apr 08


By Dan Goodin
Ars Technica
April 7, 2014

Researchers have discovered an extremely critical defect in the
cryptographic software library an estimated two-thirds of Web servers use
to identify themselves to end users and prevent the eavesdropping of
passwords, banking credentials, and other sensitive data.

The warning about the...

Posted by InfoSec News on Apr 08


The New York Times
APRIL 7, 2014

SAN FRANCISCO -- They came in through the Chinese takeout menu.

Unable to breach the computer network at a big oil company, hackers
infected with malware the online menu of a Chinese restaurant that was
popular with employees. When the workers browsed the menu, they
inadvertently downloaded code that gave the...

Posted by InfoSec News on Apr 08


By Shimon Cohen
Arutz Sheva

The threatened #opisrael cyber-attack turned out to be a dud - but Israel
does not have enough manpower to ward off a major cyber-attack.

Dr. Michael Orlov, head of the cyber-engineering department of Shamoon
College Engineering in Be'er Sheva, explained the problem to Arutz Sheva

As Orlov explained, the hacking projects against Israel...
Internet Storm Center Infocon Status