When it comes to computer security news, the past month or so has been pretty jam-packed. Following are more noteworthy security news stories you might have missed.
Multiple Adobe Updates – And Lack Thereof for Shockwave
Windows XP Zero-day Vulnerabilities
Since Microsoft officially ended support for the nearly 13-year-old desktop operating system in mid-April, new vulnerabilities affecting Windows XP have come to light.
The first was a zero-day remote code execution vulnerability (CVE-2014-1776) affecting Internet Explorer versions from all the way back to IE 6 to the current IE 11. Microsoft begrudgingly patched this vulnerability for Windows XP users on May 1st. The updates can be downloaded from Microsoft’s site.
Included amongst May’s second-Tuesday patches on May 13th was a security update fixing two remote code execution vulnerabilities (CVE-2014-0310 and CVE-2014-1815) for IE 6 through 11. In this case, however, Microsoft opted not to patch the issues for Windows XP’s versions of Internet Explorer.
According to NIST’s National Vulnerability Database, CVE-2014-1815 has already been exploited in the wild. And since Microsoft has no plans to patch any more vulnerabilities for XP, this seems to be among the first of many “perpetual zero-days”—that is, vulnerabilities in Windows XP that have been exploited in the wild and will never be patched by Microsoft.
If you have Windows XP on your Mac, or if you know someone who still has an old PC running XP, you can mitigate this issue to some degree by setting Chrome or Firefox as the default browser and making sure the user knows not to use Internet Explorer anymore. However, more vulnerabilities affecting XP will continue to be discovered, so the better solutions would be to upgrade to a supported version of Windows or replace old computers that are still running XP.
iOS 7.1.1 Reportedly Not Encrypting E-mail Attachments
This revelation is significant because Apple specifically claims, “When you use a passcode, it automatically encrypts and protects your email and third-party apps.”
Of course, if an attacker already knew or could easily guess your password, or if you have no passcode at all, then anyone could get into your device and see all your e-mail attachments anyway, not to mention having complete access to everything on your device.
If you’ve got an iPhone 4 and you’re concerned about this issue, an Apple spokesperson told CNET that a fix is in the works, although no specific timeframe has been announced.
Multiple Apple Updates
• OS X Mavericks version 10.9.3
• iTunes 11.2 and then 11.2.1
• OS X Server 3.1.2 (which fixes a Ruby vulnerability)
• Safari 6.1.4 and 7.0.4
See our previous coverage, and patch your Macs as necessary (as well as Windows PCs with iTunes).
Heartbleed Still Affects 300,000 Servers
• Heartbleed OpenSSL bug: FAQ for Mac and iOS users
• Heartbleed Threat Alert Update
On May 8th, about a month after the Heartbleed problem became widely known, security veteran Robert Graham scanned the Internet probing port 443 to find out how many HTTPS servers are still vulnerable. He found that the number of Heartbleed-affected servers had dropped by half, from 600,000 to 300,000 servers, since his first scan a month earlier.
Although it’s great that the number of affected servers has decreased substantially, it’s also rather disconcerting that such a high number of servers are still affected.
Graham points out that he did not scan other common SSL ports, for example SMTP; Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol (IMAP) e-mail servers that rely on OpenSSL may also be affected by Heartbleed.
If you’re still concerned about how Heartbleed might have impacted you, I’ve compiled lists of some major sites that were confirmed to be affected by Heartbleed or were likely affected given available evidence. Although certainly not comprehensive, these lists include some original research of my own that hasn’t been published anywhere else. I’ve also included links to several sites that you can use to check the Heartbleed status of servers you access, including Secure IMAP and SMTP servers.