Firefox browser now blocks Adobe Flash by default

mozilla_firefox_logo

Adobe Flash is now blocked by default on all Windows and Mac versions of the Mozilla Firefox web browser. Is it high time that Adobe finally consigns Flash to the outdated technologies bin? Is this one security flaw too far? How great would it be if Adobe instead devoted their efforts to developing tools for HTML 5 and CSS to achieve similar moving vector functionality that attracted web developers to use Flash in the first place.

Following in the footsteps of Apple (in which Steve Jobs wrote a then controversial open letter in 2010), Mozilla is yet another company who has publicly raised serious concerns with the lack of security and widely documented bugs in Flash.

Mozilla has unearthed evidence showing that the bugs in Flash were being actively used by criminal groups to exploit users and install malware and ransomware on their machines. At present the exploits were limited to FireFox installed on Windows PC’s.

Flash Plugin Blocked

On their support pages Mozilla said that the block would remain until Adobe releases an updated version to address known critical security issues. A similar block has been built in to the Apple Safari browser since version 7 in 2013.

My verdict: It’s time to pull the plug on Flash once and for all. Come on Adobe, think to the future instead of frantically patching the past!

WordPress critical bug on versions 4.2 and earlier

If your website runs on WordPress, you need to be aware that WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise your website.

WordPress 4.2.2 includes a comprehensive fix for this issue.

Please ensure that you update all instances of WordPress to 4.2.2 as soon as possible. You can do this by logging into your WordPress Dashboard and clicking “Update now” from the “Updates” option in the menu.

If your website has been hosted by ISArc, they have already done this for you, your website will already be running on WordPress 4.2.2!

For more information visit https://wordpress.org/news/

ISArc-Web-Sponsor-[728x90]

OpenSSL HeartBleed Bug – Explanation and fix

Heartbleed is a recently discovered small bug that relates to the OpenSSL’s implementation of the TLS ‘heartbeat’ mechanism.

The bug is present only in the OpenSSL versions 1.0.1 through 1.0.1f!

By exploiting this bug, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. Since this is the same memory space where OpenSSL also stores the server’s private key material, an attacker can potentially obtain data such as:

1) private keys
2) TLS session keys
3) confidential data
4) session ticket keys.

The remedy

You can test if a given server is vulnerable using this tool: http://filippo.io/Heartbleed/ (enter your domain as for example: yourdomain.name:443)

To check the OpenSSL version running on your server, use the following command via SSH:

CentOS

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Ubuntu

# dpkg -s openssl | grep Version
Version: 1.0.1-4ubuntu5.6

Having identified a problem, the first step is to patch OpenSSL. Fortunately this is relatively easy. The 1.0.1g version is not vulnerable, and Debian has a patch. You can also recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS option.

Installing OpenSSL 1.0.1g on CentOS:

# cd /usr/local/src
# wget -N http://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -xzvf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g
# ./config
# make
# make install
# alias cp=cp
# cp /usr/local/ssl/bin/openssl /usr/bin/openssl
# cd /usr/local/ssl/include
# ln -s /usr/local/ssl/include/openssl openssl

Once done, check the version again and restart the web server:

# openssl version
OpenSSL 1.0.1g 7 Apr 2014

Restart any services using SSL.

Installing OpenSSL 1.0.1g on Ubuntu:

# apt-get update
# apt-get install -y openssl libssl1.0.0

Restart any services using SSL.

What’s the TLS Heartbeat mechanism ?

The TLS Heartbeat mechanism is designed to keep connections alive even when no data is being transmitted. Heartbeat messages sent by one peer contain random data and a payload length. The other peer is suppose to respond with a mirror of exactly the same data.

If you want to read more about this, the best written article I’ve found on this topic can be found here: http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html