'high' severity OpenSSL and Flash Exploits

[Bindee]

http://www.theregister.co.uk/2015/07/06 ... _thursday/

Doesn't say very much.

[mikeb]

hmm funny how the 0.9.8 is often exempt from these 'scares' and I don't run a server so just stick with that.

I guess they have to fill their 'pages' with something... IT tabloids...do they have page 3 girls yet?

mike

ps anyone tried to exploit a buffer overflow and similar 'weaknesses'?

[Semme]

Hey Mike, server patched/client unpatched..

Do you know whether this affects the handshake if you're running one of the referenced builds?

I'm asking because my build's not affected.

[mikeb]

Handshaking seems to work but did notice some exceptions but not recently and those seemed to be more about updating certificates....its the exploiting of public servers that seemed to be the main concern...same for the bash holes.

mike

[Semme]

Thanks Mike. While I tend to agree with your comments, I'm still looking for reasons why folks with *client* only machines shouldn't get excited. I suppose it's just as bad if the client's pkg is updated but the server's isn't.

https://www.ssllabs.com/ssltest/index.html

Hmm, the latest PaleMoon scores well on the browser capabilities test.

[8Geee]

In another thread the posters were wondering why some sites failed to open having a security warning. This because the end-user had chosen to keep security-updates maintained.

As I pointed out, ebay had this problem, and specifically payments servers.

With the link graciously provided above, I ran the SSLTest on the payments server (only). It seems that ebay is running TLS1.0 with weak encryption (128bit). Very naughty. Rated "C" 50/100. Of course that portal to a payment is really an epic fail with that level of "security".

[8Geee]

Thats a good link for the server requests... slightly OT, but a-pro-po is to check your browser, it seems logjam affects it. Just go to the main page of the link and select browser.

I patched FF27 in my distros by turning off certain dhe generators.

[mikeb]

Hmm so when do the 'attacks' occur then ?

The hardening I did with windows 98 still seems to work....
Ye olde pups seem equally un affected too.

mike

[Bindee]

http://www.theregister.co.uk/2015/07/07 ... ws_kernel/

Theregister would have you believe that a flash exploit is pretty imminent until you read Microsoft's take on it.

[mikeb]

I don't read newspapers or watch the TV and any similar such occurances on the internet...can you see why

mike

ps ..yeah still waiting for my first flash exploit on any system..I use the older versions as they play nice...

[Bindee]

still waiting for my first flash exploit on any system.

Maybe they don't bother with 70's hairy porn sites.

[mikeb]

Scary visions

actually I am surprised at how it tends to be forgotten that flash is a 2d vector graphics animator and only later on added the convenience video feature...which never fitted that well due to the nature of how video is handled. (RGB vs YUV etc...)

There is some excellent educational stuff out there for starters... and well...great games.

To me there are far more effficient ways of watching videos...even hairy ones...

mike

[Bindee]

Porn always seems to be the best way on the web to infect people with flash exploits.

http://www.theregister.co.uk/2015/01/29 ... infection/

A massive malvertising campaign leveraging the recent Adobe Flash zero day vulnerability has surfaced on popular* adult site xHamster, analysts say.

The attack served the Bedep Trojan to the site's 500 million viewers a month through a surreptitious exploit on the landing page.

[Ted Dog]

That was in January, who knew there was so much x rated hamster porn and poeple viewing it.

I am a bit conserned it I visit that site I would never be able to look a hamster in the eyes again..

[Bindee]

Inb4 Mikeb says Xinflatablesheep

Well nearly 9 hours into Thursday and nothing from OpenSSL yet.

[Bindee]

Flash vulnerability fixed for Windows, OS X and Linux machines

http://www.theregister.co.uk/2015/07/08 ... am_update/

Adobe got their fix out.

[mikeb]

How about page 3 hamsters on the register? would keep with their standards or journalism.....

Should the name be changed to Adobe Flesh....

Wish they would sell it back to Macromedia as they half knew what they were doing.

mike

[amigo]

look a hamster in the what???

[James C]

Another day, another OpenSSL patch

http://www.zdnet.com/article/another-da ... ssl-patch/

The latest OpenSSL security hole isn't a bad one as these things go. It's no Heartbleed, Freak, or Logjam. But it's serious enough that, if you're running alpha or beta operating systems, you shouldn't delay patching it.

Fortunately, the affected OpenSSL versions are not commonly used in enterprise operating systems. For example, it doesn't impact shipping and supported versions of Red Hat Enterprise Linux (RHEL) or Ubuntu. In the case of Ubuntu, it does affect the 15.10 development release, but the patch is already available.

This problem affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Therefore, OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d and OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p.

The security hole, (CVE-2015-1793), was discovered by Google BoringSSL developers. This is Google's own open-source Secure-Socket Layer (SSL) program. It's not meant to replace OpenSSL as an open-source project because its application programming interface (API) and application binary interface (ABI) aren't stable enough for a universally used security program.

[bark_bark_bark]

Porn always seems to be the best way on the web to infect people with flash exploits.

That statement is very old now and no longer true. Most of the malvertising these days occur on websites with much more traffic (ie: news, social media, etc.).