Tag: network security

Patch Tuesday for March 2015

patch-tuesday
It’s Patch Tuesday again for all Windows sysadmins and this month’s delivery includes more fixes than usual.

Microsoft’s security bulletin lists 14 individual fixes including a fix for the recently discovered “FREAK” vulnerability. Of the fourteen fixes, 5 of them are rated Critical and the rest are Important.

Also included are fixes for issues in Internet Explorer, the VBScript scripting engine, a flaw in an Adobe font driver bundled with Windows, and issues in Microsoft Office. All of these could result in a remote code exploit so it’s vital that Windows-based systems are patched as soon as possible.

“FREAK” Vulnerability (CVE20150204): Pretty Much All Systems are Exposed

New Security Internet Security Flaw Discovered

The list of flaws in trusted security algorithms has grown again with the recent announcement of the “FREAK” (Factoring Attack on RSA-EXPORT Keys) vulnerability also known as CVE-2015-0204.

First reports confirmed that many OpenSSL implementations contained the flaw and today Microsoft issued Security Advisory 3046015 confirming that all versions of Windows are vulnerable.

Where Did The Freak Vulnerability (CVE2015-0204) Come From?

The details of the vulnerability are alarming and largely due to flawed federal policies on encryption dating back to the 1990s. Around that time products like PGP (Pretty Good Privacy) were starting to see wider distribution and the U.S. officials responded by passing laws to control the export of any product that included high grade encryption. It was a futile effort and the battle was eventually won by crusaders such as Phil Zimmerman.

Some would even say there is a darker side to government efforts on the control and distribution of encryption technology:

Read more