Adobe released an emergency security update for Flash Player today. This update patches a vulnerability that could allow attackers to spy on infected users’ computers. It’s unknown what kind of malware could have been delivered through the vulnerability because the people behind the attacks removed the malicious data from servers when the attacks were discovered; however, it’s believed that the group is based in Syria as it appeared the attacks were aimed at Syrian dissidents.
Users of Google Chrome, and Internet Explorer on Windows 8 and 8.1 will get updates through their respective browser updates. Users of other web browsers or systems are encouraged to update Adobe Flash Player as soon as possible.
This past weekend, Microsoft announced that versions 6 through 11 of Internet Explorer are vulnerable to attackers via “drive-by attacks” from malicious websites. Previously unknown, this security flaw allows attackers to execute harmful computer code remotely, enabling them to hijack vulnerable computers.
Internet Explorer users are highly encouraged to use an alternate web browser (such as Firefox or Google Chrome) for the time being. If users must use Internet Explorer for certain websites, make sure to only use IE for those website and an alternate browser for other websites and general web browsing.
The Samsung Galaxy S5, the latest in Samsung’s line of Galaxy smartphones, features a fingerprint scanner that allows the phone’s user to unlock it. This is a new feature that is also found on the rival iPhone 5s. However, just like the iPhone, the Galaxy’s fingerprint reader is vulnerable to a significant security flaw: An attacker could create a copy of the user’s fingerprint and fool the smartphone into unlocking. While it took a little bit of physical work for the security researchers to fool the Galaxy’s fingerprint reader–they created a mold of a user’s fingerprint from a photo–it may not be considered a lot of work to a determined attacker.
Sophos’s Naked Security blog points out a good reason why people shouldn’t use their fingerprints for all of their security needs:
What’s especially inconvenient about fingerprint authentication is that we’re pretty much stuck with the fingerprints we have.
If someone steals a photo of your fingerprint to use for identity theft, you can’t change it like you can your password.
Earlier this week, security researchers discovered a serious vulnerability in the OpenSSL cryptographic library, which is used to protect many web sites including Facebook, Gmail, and Yahoo. The flaw is known popularly as the Heartbleed Bug and allows anyone to view usernames, email, and passwords sent to these sites.
Lifehacker has an informative blog post summarizing how this affects an average Internet user, the next steps users should take, and what popular websites are affected. Mashable also has a chart of potentially affected websites and their responses to the threat.
Microsoft ended support for Windows XP today, which means there will be no further security updates or patches for the operating system. While users can continue using XP, the operating system will not be protected against any new vulnerabilities that will arise, so users will find themselves in riskier waters the longer they wait to upgrade to a newer operating system. If you are using Windows XP on a University-owned computer and are supported by CASIT, please contact us and we can consult you on making the switch to a newer operating system. If you are not supported by CASIT, please contact your department’s tech support desk.