'high' severity OpenSSL and Flash Exploits
'high' severity OpenSSL and Flash Exploits
Last edited by Bindee on Tue 14 Jul 2015, 12:16, edited 1 time in total.
Thanks Mike. While I tend to agree with your comments, I'm still looking for reasons why folks with *client* only machines shouldn't get excited. I suppose it's just as bad if the client's pkg is updated but the server's isn't.
https://www.ssllabs.com/ssltest/index.html
Hmm, the latest PaleMoon scores well on the browser capabilities test.
https://www.ssllabs.com/ssltest/index.html
Hmm, the latest PaleMoon scores well on the browser capabilities test.
>>> Living with the immediacy of death helps you sort out your priorities. It helps you live a life less trivial <<<
In another thread the posters were wondering why some sites failed to open having a security warning. This because the end-user had chosen to keep security-updates maintained.
As I pointed out, ebay had this problem, and specifically payments servers.
With the link graciously provided above, I ran the SSLTest on the payments server (only). It seems that ebay is running TLS1.0 with weak encryption (128bit). Very naughty. Rated "C" 50/100. Of course that portal to a payment is really an epic fail with that level of "security".
As I pointed out, ebay had this problem, and specifically payments servers.
With the link graciously provided above, I ran the SSLTest on the payments server (only). It seems that ebay is running TLS1.0 with weak encryption (128bit). Very naughty. Rated "C" 50/100. Of course that portal to a payment is really an epic fail with that level of "security".
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
Thats a good link for the server requests... slightly OT, but a-pro-po is to check your browser, it seems logjam affects it. Just go to the main page of the link and select browser.
I patched FF27 in my distros by turning off certain dhe generators.
I patched FF27 in my distros by turning off certain dhe generators.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
http://www.theregister.co.uk/2015/07/07 ... ws_kernel/
Theregister would have you believe that a flash exploit is pretty imminent until you read Microsoft's take on it.
Theregister would have you believe that a flash exploit is pretty imminent until you read Microsoft's take on it.
Scary visions
actually I am surprised at how it tends to be forgotten that flash is a 2d vector graphics animator and only later on added the convenience video feature...which never fitted that well due to the nature of how video is handled. (RGB vs YUV etc...)
There is some excellent educational stuff out there for starters... and well...great games.
To me there are far more effficient ways of watching videos...even hairy ones...
mike
actually I am surprised at how it tends to be forgotten that flash is a 2d vector graphics animator and only later on added the convenience video feature...which never fitted that well due to the nature of how video is handled. (RGB vs YUV etc...)
There is some excellent educational stuff out there for starters... and well...great games.
To me there are far more effficient ways of watching videos...even hairy ones...
mike
Porn always seems to be the best way on the web to infect people with flash exploits.
http://www.theregister.co.uk/2015/01/29 ... infection/
http://www.theregister.co.uk/2015/01/29 ... infection/
A massive malvertising campaign leveraging the recent Adobe Flash zero day vulnerability has surfaced on popular* adult site xHamster, analysts say.
The attack served the Bedep Trojan to the site's 500 million viewers a month through a surreptitious exploit on the landing page.
Flash vulnerability fixed for Windows, OS X and Linux machines
http://www.theregister.co.uk/2015/07/08 ... am_update/
Adobe got their fix out.
http://www.theregister.co.uk/2015/07/08 ... am_update/
Adobe got their fix out.
Another day, another OpenSSL patch
Another day, another OpenSSL patch
http://www.zdnet.com/article/another-da ... ssl-patch/
http://www.zdnet.com/article/another-da ... ssl-patch/
The latest OpenSSL security hole isn't a bad one as these things go. It's no Heartbleed, Freak, or Logjam. But it's serious enough that, if you're running alpha or beta operating systems, you shouldn't delay patching it.
Fortunately, the affected OpenSSL versions are not commonly used in enterprise operating systems. For example, it doesn't impact shipping and supported versions of Red Hat Enterprise Linux (RHEL) or Ubuntu. In the case of Ubuntu, it does affect the 15.10 development release, but the patch is already available.
This problem affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Therefore, OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d and OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p.
The security hole, (CVE-2015-1793), was discovered by Google BoringSSL developers. This is Google's own open-source Secure-Socket Layer (SSL) program. It's not meant to replace OpenSSL as an open-source project because its application programming interface (API) and application binary interface (ABI) aren't stable enough for a universally used security program.
-
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
That statement is very old now and no longer true. Most of the malvertising these days occur on websites with much more traffic (ie: news, social media, etc.).Bindee wrote:Porn always seems to be the best way on the web to infect people with flash exploits.
Last edited by bark_bark_bark on Fri 10 Jul 2015, 14:00, edited 1 time in total.
....