Skip to Navigation | Skip to Content

April 2014

« March 2014 | Main | May 2014 »

April 30, 2014

New Internet Explorer bug *UPDATED 5-1*

Microsoft released a Security Advisory yesterday affecting Internet Explorer up to and including the most recent version, Internet Explorer 11.

The US Computer Emergency Readiness Team (US-CERT) has made the following recommendation regarding this vulnerability:

"US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser."

As such we recommend, as an alternative to Internet Explorer, that you consider using Google Chrome, Mozilla Firefox, or Safari when visiting websites. If you must use an NYU application that only supports Internet Explorer you should feel free to do so. For browsing sites outside of NYU, however, the use of Chrome, Firefox, or Safari is recommended instead.

For more information please see:

*http://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being

* https://technet.microsoft.com/en-US/library/security/2963983

* http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

As always, please contact security@nyu.edu with any questions.


UPDATE: Microsoft has issued a security patch for this vulnerability, and it is available via Windows Update. There is more information about the patch at https://technet.microsoft.com/library/security/ms14-021

April 09, 2014

Important New Web (OpenSSL) Vulnerability

As many of you may have read or heard, a flaw has been discovered in one of the Internet's security methods—a flaw that could enable hackers to access user names, passwords, or other sensitive data.

A fix for this flaw, which was announced this week, is available and NYU is now working quickly to patch all of the University's systems that need patching. The flaw is associated with a widely-used technology known as OpenSSL, which is used to secure server transactions, and it is known as the "Heartbleed" vulnerability. OpenSSL is used by Internet service providers, system administrators, and universities around the world, including NYU.

What NYU is doing:
Technology Security Services (TSS) at NYU is reviewing our centrally provided systems and servers that need to be patched are being patched. TSS has been in touch with the NYU system administrators group (system administrators across campus) to alert them to the issue and the recommended fix. The CIO Council (IT leads at the schools) has also been alerted to this issue for any locally maintained and housed servers.

What should you do:
First of all, don't panic. Not all systems use OpenSSL, some that do are not vulnerable, and many websites are already installing patches on their systems.

If you are an administrator of any system, you should immediately upgrade your system to the latest version of OpenSSL. For more guidance, NYU system administrators should contact the IT Security Group at security@nyu.edu. Administrators of systems outside of NYU (e.g., cloud services) should contact the service provider or refer to the links below.

For users of NYU systems: ITS and other service owners across NYU are working quickly to patch systems as necessary. As examples, NYU Google Apps, NYU Classes, Albert/SIS, NYUHome, www.nyu.edu, NYU Login, PeopleSync, and all core NYU systems have either been patched, or are not vulnerable to this bug.

For users of non-NYU systems: If you don't know if the server you are connecting to has been patched, the most prudent thing to do is refrain from logging into non-NYU sites that contain sensitive data for a few days while those non-NYU servers are patched. If there is no information from the system owners after that time, you should contact the site to confirm that the patch is in place. If you are curious as to whether a page may be affected by the flaw, you can visit this Heartbleed test site and put in the name of the website you are concerned about to see whether it is vulnerable. However, not all sites can be tested in this way.

What the Internet is doing: Internet providers and server administrators around the world are doing assessments of their systems in order to patch their version of OpenSSL.

References: