Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Apple and Microsoft issue FREAK fixes

By Alan Bentley. 

Microsoft issued 14 security bulletins for its March Patch Tuesday, five of which are critical and nine are important. A total of 44 vulnerabilities in all are addressed; three of which are known and being exploited now. Organizations using Windows, Office, Exchange and/or IE, will find themselves in a very busy patching month.

First on the priority list of updates should be MS15-018, another cumulative update for IE. This one is critical and covers off on 12 CVEs, including the February zero-day CVE-2015-0072 that is a cross-site scripting (XSS) vulnerability in IE 10 and 11. It allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element. Two vulnerabilities were publicly disclosed and one is under active attack, the other ten CVEs were privately reported and impact all versions of IE.

MS15-022 is another critical ranked bulletin for five CVEs in Microsoft Office and Sharepoint. This should be second on your priority list. The critical patches come for Office, all versions, while patches for Sharepoint are rated important.” 

The FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) vulnerabilities are addressed in MS15-031, which should be third on your priority list. It is an important rated bulletin for a vulnerability in Schannel in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems. The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected as well as Mac OS. Organizations that use Mac desktops should look for Apple Security Update 2015-002 to address this issue.

Fixing this pervasive FREAK vulnerability that allows eavesdroppers to intercept connections will be front of mind for security professionals. Now that Apple and Microsoft have made fixes available, the onus is on organizations to address the vulnerability. Failure to apply the appropriate patch will mean organizations are knowingly leaving their back doors open and allowing hackers access to their personal and private data.

The author
Alan Bentley is SVP International at HEAT Software (formerly Lumension).

•Date: 12th March 2015 • World •Type: Article • Topic:: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here