Heartbleed – What you need to know.

Wednesday, 9. April 2014

Heartbleed – What is it? (for non geeks)

The Heartbleed bug was caused by a programming error in a software package called OpenSSL. This error had the potential of allowing bad people to attach to secure web and email servers, as well as services that rely on the TLS/SSL protocol, and steal the private encryption key off the servers. The TLS/SSL protocol is what puts the pretty little lock in the address bar in your browser. The private key is what the owners of the sites you go to are suppose to keep secret, and not share with anyone because if someone has it, they can decrypt the encrypted data traveling between your system and the server. THIS IS BAD…

Heartbleed – What is it? (for geeks)

The Heartbleed bug was caused by a programming error in the OpenSSL library that deals with TLS handshakes. A couple years back, a new RFC (rfc 6520) proposed a new extension to the TLS protocol that would allow a heartbeat to be exchanged between the client and server to reduce the number of re-negotiations during a TLS session. This all sounds good, and actually is a very beneficial to the protocol in general, but when it was implemented in OpenSSL, an error in the way the code was written allowed a request to grab a bunch of data without checking the boundaries of the data itself. This could allow someone to make a request crafted in a certain way that would cause OpenSSL to return 64k of protected memory data possibly containing the SSL private key of the server.

Read more


Exploit Against Adobe Flash, Acrobat and Adobe Reader

Thursday, 10. June 2010

Exploit Against Adobe Flash and Adobe Reader.

I thought I got this posted the beginning of the week, but I guess it slipped through the cracks… June 4, 2010, Adobe confirmed that a zero day exploit exists in it’s Flash Player,  Acrobat and Adobe Reader software. This bug effects all of it’s supported platforms, and has been found in the wild.

So, you all know the drill, if your computer has the software listed in the Adobe Security Bulletin, then follow the instructions and get yourself safe!

— Stu


Internet Explorer ActiveX Exploit.

Thursday, 9. July 2009

Microsoft announced an ActiveX exploit in their Internet Explorer browser product on July 6, 2009. Read the Microsoft Bulletin.

The exploit allows a website to send an ActiveX control that can execute whatever evil or destructive code it wants to, with the permissions of the user doing the browsing. It does all this without the user even knowing that it is happening. THIS IS VERY BAD!

Currently, there are no patches available for this. Microsoft recommends turning off ActiveX controls on your browser.

Isn’t it ironic, that one of the things that force people to use IE on certain websites is now a 0 day exploit…

My recommendation? Use Firefox for all your web browsing…

Till the next time!

— Stu


OpenSSH Exploit, Rumor or Not…

Wednesday, 8. July 2009

Well, it’s that time of year again. We are heading toward the Black Hat conference the end of July, and the net is a buzz with exploits and rumors of exploits.

One such rumor has to do with a package that is the backbone of network and server management on the web. OpenSSH or “Secure SHell” is used by every *nix administrator in the world to manage servers. The thought of an exploit against this package sends shivers down every administrator’s spine.

Read more