Entries with tag computer security.

Google Responds to Heartbleed Flaw with BoringSSL

Problems associated with the Heartbleed Internet-security vulnerability discovered earlier this year continue with hundreds of thousands of servers still operating with unpatched problems in the open-source OpenSSL cryptographic library. To address these concerns, Google announced it is developing BoringSSL, based on OpenSSL, which is an open source implementation of the Secure Sockets Layer and Transport Layer Security protocols. Researchers discovered a flaw in OpenSSL that attackers could exploit to access an application’s memory, including sensitive data and private encryption keys. Google is developing BoringSSL, rather than just patching OpenSSL, because it can no longer keep up with all the patches. “As Android, Chrome, and other products have started to need some subset of these patches, things have grown very complex,” said Google software engineer Adam Langley, “The effort involved in keeping all these patches straight across multiple code bases is getting to be too much.” The company is now importing changes from OpenSSL into BoringSSL .Google plans to contribute its BoringSSL code to the OpenSSL open-source project. The new SSL fork should appear in Google’s Chromium repository soon and in the Android OS after that. (eWeek)(PC World)(Naked Security)(BoringSSL)

New Service Charts Websites’ Security Issues

A new online service offers a public index of websites with known security issues, enabling users to see if a site they visit has a security flaw. Project Un1c0rn < http://un1c0rn.net>, developed by a group of independent developers—is a searchable index of 59,000 websites currently, with more to come. It is focusing on problems caused by the Heartbleed OpenSSL vulnerability as well as issues with open Mongo DB and MySQL databases, which are the sources of the most widespread vulnerabilities as they rely on common tools. The developers are working to make Project Un1c0rn the first peer-to-peer decentralized exploit system, which they say would enable individuals to host their own scanning nodes and let security researchers offer to help with fixes. (SlashDot)(Motherboard)(Project Un1c0rn)

Bug Leaves Linux, Open Source Users at Risk

Security researchers have discovered a new vulnerability in open source software that attackers could exploit to launch malware attacks. Developers have since released a patch for the bug in the GnuTLS cryptographic code library, which could place Linux and other open source software users at risk for problems such as buffer overflow attacks. GnuTLS is an open-source implementation of Internet encryption protocols including Secure Sockets Layer; Transport Layer Security; and Datagram Transport Layer Security, used in various Linux distributions. An infected server could exploit the vulnerability during the handshake between the Secure Sockets Layer and Transport Layer Security, culminating in the crash of vulnerable clients. It could also allow attackers to execute code on the system. The vulnerability was reported by Joonas Kuorilehto, a principal systems engineer at Codenomicon, the same vendor of vulnerability-testing tools responsible for finding the Heartbleed flaw in the OpenSSL Internet-security protocol earlier this year. (Ars Technica)(PC World)(Red Hat Bug Tracker)

Microsoft Issues Internet Explorer Patch for Windows XP Users

Despite ending support for Windows XP on 8 April, Microsoft has released a patch for an Internet Explorer (IE) flaw that will work for users of Windows XP, 7, and 8. The fix addresses a security issue for IE versions 6 through 11. According to Microsoft, the vulnerability affects the way IE accesses an object in memory that has been deleted or that has not been properly allocated. It could corrupt memory in a way that lets an attacker remotely execute arbitrary code in a user’s browser. Microsoft is continuing to ask customers using XP to upgrade to a newer Windows version and those using Internet Explorer to move to the latest iteration. (The Associated Press)(GeekWire)(Microsoft Security Response Center)

Microsoft Extends XP Support in China

Microsoft announced it will continue providing security for Windows XP in China after support for the operating system ends elsewhere  on 8 April. In a post on its account on the Sina Weibo microblogging website, Microsoft also asked users to upgrade to the latest Windows version. Windows XP has roughly 57 percent of China’s operating system market, but part of that is attributable to piracy, according to PC World. (PC World)(Computerworld)

Home-Based Wireless Routers Notoriously Insecure

Security experts conclude there are so many potential vulnerabilities in home-based wireless routers that it is best to consider them insecure. The issues came to light following the discovery of problems with Linksys routers, which enabled TheMoon worm to infect and thrive on the home hardware. Security researchers found these types of products are shipped with several other bugs that make them open to infection, according to SANS Institute Internet Storm Center researchers Kyle Lovett and Matt Claunch. This includes home routers from Linksys, Cisco and Netgear. Compounding the problem is most consumers don’t know how to properly protect these networks, through which personal and financial information can be sent. In addition to wireless routers, security experts say home networking devices are particularly vulnerable through the Universal Plug and Play protocol. Independent Security Evaluators, a security firm, identified 55 new and undisclosed vulnerabilities in home routers, which led its analysts to conclude few, if any, home routers could be properly secured. (SlashDot)(Symantec Security Focus)(SANS Institute Internet Storm Center) 

Showing 6 results.