For today’s Weekly Cybernote, we will focus on two security-related current events that have been highly discussed on the web for more than a month and a half now: the end of support for Windows XP and the Heartbleed flaw. We will also talk about Adobe, whose Creative Cloud experienced a huge outage last week.
Attacks on Windows XP and still no fix from Microsoft
The Redmond vendor remains firm on its decision to end support for Windows XP and refuses to fix a bug in Internet Explorer that has already been exploited by hackers. Microsoft and external security experts have indicated that hackers had been exploiting a vulnerability in Internet Explorer under Windows XP and on the last Patch Tuesday, no fix was provided to resolve the issue, in line with the decision to cease all support for the system. The bug, which has been identified with the reference CVE-2014-1815, is one of two critical vulnerabilities affecting IE6, IE7, IE8, IE9, IE10 and IE11 and patched by Microsoft last Tuesday. In the Security Advisory, the vendor pointed out that the vulnerability was already known and was already exploited by hackers even before this update. However, since Windows XP has stopped being supported since April, XP users did not receive a security patch for IE, unlike users of Windows Vista, Windows 7 and Windows 8. Arkoon+Netasq’s ExtendedXP allows keeping Windows XP workstations safe in the best security conditions.
Heartbleed: errors observed in the application of certificates and bug fixes
Despite the swift measures taken by certain sites to protect themselves from the Heartbleed attack, some of them realized that they were not better protected than before, and in some cases, found themselves even more exposed. After having fixed their version of OpenSSL following the Heartbleed attack on April 7th, many sites also went on to revoke their compromised SSL certificates by replacing them with new certificates. But according to a survey, 30 000 sites received replacement certificates based on the same compromised private key used in previous certificates. This means that anyone who managed to steal the private key of one of these servers before it was patched can still use the key to trick the server by launching a man-in-the-middle attack.
Adobe’s Creative Cloud hit by a huge outage
Almost all the services and solutions in Adobe’s Creative Cloud suite were inaccessible throughout several regions worldwide, including Europe. At the time of writing, the problem was still unresolved and Adobe’s teams are looking into the cause of the malfunction. Only the file synchronization service escaped unharmed from this giant outage. At the same time, new accounts (Adobe ID) still cannot be created, as is the case with all Creative Cloud subscriber services. This is Adobe’s first major breakdown since the launch of Creative Cloud in June 2013.