Page 1 of 5
'high' severity OpenSSL and Flash Exploits
Posted: Tue 07 Jul 2015, 08:06
by Bindee
Posted: Tue 07 Jul 2015, 08:19
by mikeb
hmm funny how the 0.9.8 is often exempt from these 'scares' and I don't run a server so just stick with that.
I guess they have to fill their 'pages' with something... IT tabloids...do they have page 3 girls yet?
mike
ps anyone tried to exploit a buffer overflow and similar 'weaknesses'?
Posted: Tue 07 Jul 2015, 11:38
by Semme
Hey Mike, server patched/client unpatched..
Do you know whether this affects the handshake if you're running one of the referenced builds?
I'm asking because my build's not affected.
Posted: Tue 07 Jul 2015, 12:22
by mikeb
Handshaking seems to work but did notice some exceptions but not recently and those seemed to be more about updating certificates....its the exploiting of public servers that seemed to be the main concern...same for the bash holes.
mike
Posted: Tue 07 Jul 2015, 13:40
by Semme
Thanks Mike. While I tend to agree with your comments, I'm still looking for reasons why folks with *client* only machines shouldn't get excited. I suppose it's just as bad if the client's pkg is updated but the server's isn't.
https://www.ssllabs.com/ssltest/index.html
Hmm, the latest PaleMoon scores well on the browser capabilities test.
Posted: Tue 07 Jul 2015, 22:20
by 8Geee
In another thread the posters were wondering why some sites failed to open having a security warning. This because the end-user had chosen to keep security-updates maintained.
As I pointed out, ebay had this problem, and specifically payments servers.
With the link graciously provided above, I ran the SSLTest on the payments server (only). It seems that ebay is running TLS1.0 with weak encryption (128bit). Very naughty. Rated "C" 50/100. Of course that portal to a payment is really an epic fail with that level of "security".
Posted: Wed 08 Jul 2015, 01:36
by 8Geee
Thats a good link for the server requests... slightly OT, but a-pro-po is to check your browser, it seems logjam affects it. Just go to the main page of the link and select browser.
I patched FF27 in my distros by turning off certain dhe generators.
Posted: Wed 08 Jul 2015, 10:32
by mikeb
Hmm so when do the 'attacks' occur then ?
The hardening I did with windows 98 still seems to work....
Ye olde pups seem equally un affected too.
mike
Posted: Wed 08 Jul 2015, 11:02
by Bindee
http://www.theregister.co.uk/2015/07/07 ... ws_kernel/
Theregister would have you believe that a flash exploit is pretty imminent until you read Microsoft's take on it.
Posted: Wed 08 Jul 2015, 11:06
by mikeb
I don't read newspapers or watch the TV and any similar such occurances on the internet...can you see why
mike
ps ..yeah still waiting for my first flash exploit on any system..I use the older versions as they play nice...
Posted: Wed 08 Jul 2015, 11:43
by Bindee
mikeb wrote: still waiting for my first flash exploit on any system.
Maybe they don't bother with 70's hairy porn sites.
Posted: Wed 08 Jul 2015, 14:24
by mikeb
Scary visions
actually I am surprised at how it tends to be forgotten that flash is a 2d vector graphics animator and only later on added the convenience video feature...which never fitted that well due to the nature of how video is handled. (RGB vs YUV etc...)
There is some excellent educational stuff out there for starters... and well...great games.
To me there are far more effficient ways of watching videos...even hairy ones...
mike
Posted: Wed 08 Jul 2015, 23:15
by Bindee
Porn always seems to be the best way on the web to infect people with flash exploits.
http://www.theregister.co.uk/2015/01/29 ... infection/
A massive malvertising campaign leveraging the recent Adobe Flash zero day vulnerability has surfaced on popular* adult site xHamster, analysts say.
The attack served the Bedep Trojan to the site's 500 million viewers a month through a surreptitious exploit on the landing page.
Posted: Thu 09 Jul 2015, 01:39
by Ted Dog
That was in January, who knew there was so much x rated hamster porn and poeple viewing it.
I am a bit conserned it I visit that site I would never be able to look a hamster in the eyes again..
Posted: Thu 09 Jul 2015, 07:14
by Bindee
Inb4 Mikeb says Xinflatablesheep
Well nearly 9 hours into Thursday and nothing from OpenSSL yet.
Posted: Thu 09 Jul 2015, 07:50
by Bindee
Flash vulnerability fixed for Windows, OS X and Linux machines
http://www.theregister.co.uk/2015/07/08 ... am_update/
Adobe got their fix out.
Posted: Thu 09 Jul 2015, 08:40
by mikeb
How about page 3 hamsters on the register? would keep with their standards or journalism.....
Should the name be changed to Adobe Flesh....
Wish they would sell it back to Macromedia as they half knew what they were doing.
mike
Posted: Thu 09 Jul 2015, 10:23
by amigo
look a hamster in the what???
Another day, another OpenSSL patch
Posted: Thu 09 Jul 2015, 19:41
by James C
Another day, another OpenSSL patch
http://www.zdnet.com/article/another-da ... ssl-patch/
The latest OpenSSL security hole isn't a bad one as these things go. It's no Heartbleed, Freak, or Logjam. But it's serious enough that, if you're running alpha or beta operating systems, you shouldn't delay patching it.
Fortunately, the affected OpenSSL versions are not commonly used in enterprise operating systems. For example, it doesn't impact shipping and supported versions of Red Hat Enterprise Linux (RHEL) or Ubuntu. In the case of Ubuntu, it does affect the 15.10 development release, but the patch is already available.
This problem affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Therefore, OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d and OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p.
The security hole, (CVE-2015-1793), was discovered by Google BoringSSL developers. This is Google's own open-source Secure-Socket Layer (SSL) program. It's not meant to replace OpenSSL as an open-source project because its application programming interface (API) and application binary interface (ABI) aren't stable enough for a universally used security program.
Posted: Thu 09 Jul 2015, 19:43
by bark_bark_bark
Bindee wrote:Porn always seems to be the best way on the web to infect people with flash exploits.
That statement is very old now and no longer true. Most of the malvertising these days occur on websites with much more traffic (ie: news, social media, etc.).