Microsoft announces that it has now released an update to fix the bug found in its Internet Explorer (IE) program a few days ago. The update patches a vulnerability described in Security Advisory 2963983 whereby code could potentially be executed on a victims computer remotely when they were using Microsoft’s Internet Explorer Browser. To read more about SA 2963983 and the bug follow this link: http://www.pccareuk.com/home/2014/04/security-vulnerability-found-in-ie/
Furthermore in a reversal of Microsoft’s stance on Windows XP being deemed end of life and no longer supported or having any further updates released for the Operating System, Microsoft have back tracked and released this fix for its ageing Windows XP platform.
This news has caused some controversy and some confusion by sending out mixed messages to Windows XP users that Microsoft will still support their operating system.
Our view at PC Care would be:Although Microsoft have allowed this one fix to be rolled out on to the XP system, we doubt very much they will release any more. This bug discovered in IE affected many versions of the browser from version 6 all the way through to version 11 and has been around for some considerable time affecting Windows XP, Vista, 7, 8 and 8.1. It has sparked many users to switch browser and start using alternatives such as Google Chrome or Firefox if they didn’t already. All these factors combined, time the bug has been around, the number of versions of Windows affected, severity of the bug, and the mass migration of users away from Internet Explorer caused Microsoft to have a one time change of heart. We don’t believe Microsoft will repeat this in the future and Windows XP users should not get their hopes up or be under any illusion that it will happen again. XP is dead to Microsoft and they will want to keep it that way.
Microsoft have recently announced (26/04/14) a serious security vulnerability in its Internet Explorer web browser. It affects version 6, 7, 8, 9, 10 and 11 of the program meaning that anyone running Windows XP, Vista, 7, 8, or 8.1 could be at risk. In Security Advisory 2963983 Microsoft describe a potential flaw that within Internet Explorer whereby a hacker could remotely execute code on a victim system and be able to create or take over a user account with the same permissions as the victim.
Quote from Microsoft Security Advisory Site:
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
As Internet Explorer is the preferred web browser for approximately 25% of worldwide web users and this flaw spans across multiple versions of the popular browser it is essential for anyone using Internet Explorer to be extra vigilant, ensure they have a good, up to date Internet Security Package installed, and make sure they have all the latest Windows Updates installed. You can always try using an alternative Web Browser such as Google Chrome or Mozilla Firefox while this issue is being fixed by Microsoft.
As of yet there is no patch/update for this vulnerability, but Microsoft says it is investigating the flaw and undoubtedly will have a fix out shortly.
It has recently been discovered that there is a severe vulnerability in the way sensitive data is handled and transmitted on some web servers using an encryption method known as OpenSSL.
OpenSSL stands for Open-source Secure Sockets Layer, and is used to encrypt sensitive data going between a users computer and a web server/website. OpenSSL has a function built in to it that periodically checks that a users computer is still connected to the server and the connection is alive. This function is known as the heartbeat (just like checking a persons pulse to see if they are alive). It is by exploiting this heartbeat function that fraudsters and cyber criminals could emulate these heartbeat checks and spoof the server into sending back sensitive information kept in its temporary memory or RAM. Such information could include users passwords, name, address, email address, and credit/debit card numbers.
What can you do to protect yourself?
I have seen several newspaper articles and supposed advice columns suggesting that everyone should immediately change all their on-line passwords for all the websites they use. This could potentially be the worst thing you could possibly do!. If the server has not been patched with an updated “FixedSSL” version of OpenSSL then potentially you could be logging into websites that are still compromised, updating you passwords and effectively sending them to the cyber criminals.
If you are concerned about any of the websites that you use, under no circumstances try to log into them. The first thing to do is to use an online checker (details of some good checkers are at the end of this post) They will validate that a server has been updated to patch the heartbleed bug. Only if the checking service reports that the website has been updated with the FixedSSL patch and is safe should you attempt to log in. Once logged in you can then update or change you passwords and security information. Most commonly used website are taking steps or already have fix this bug.
The top websites that were once vulnerable but have subsequently been patched and reported to be safe to use again are:
5. Yahoo Mail
There are potentially 100’s of thousands of other websites that either once were vulnerable, or still are. Just because a website no shows as being safe, does not necessarily mean that it has always been safe so it would still be wise to exercise caution and keep a close eye on any social media accounts, bank accounts, web mail accounts and on-line retail accounts for any suspicious activity/purchases/messages.
Good online checkers include:
https://lastpass.com/heartbleed/ – This site will validate if a site is currently safe to use, for how long it has been safe to use, as well as advice if it was once vulnerable. It will the offer recommendations on how you should proceed.
https://filippo.io/Heartbleed/ – This website will check and report if a website should be safe to use. Not as informative as the first but still helpful.
Finally for Google Chrome browser users there is a plugin called Stopbleed which will inform you if a website you are visiting is vulnerable to the Heartbleed bug or not. Remember if a site reports it is vulnerable, it does not mean the site is not safe to visit, just not safe to enter an personal or sensitive information in to it.
Stopbleed can be downloaded and installed into Chrome from here: Download Stopbleed for Chrome.