April 2014 Archives

A very serious security vulnerability has been identified with Microsoft Internet Explorer browsers that could severely impact systems. The vulnerability was classified as a zero-day exploit as there are presently no available patches to address the security flaw.  Microsoft is aware of the  vulnerability and has released a security advisory to track this issue. Threat actors are actively using this exploit.  This is a significant zero-day exploit as the vulnerable versions represent about a quarter of the total browser market. All versions of Microsoft Internet Explorer appear to be vulnerable. UMass Lowell Information Technology (IT) is monitoring the network for signs of this particular exploit. In the meantime, we strongly urge everyone to use other Internet browsers if possible. Examples of browsers to use are Mozilla Firefox, Apple Safari and Google Chrome. If you do not have a secondary Internet browser on your system, please contact the Help Desk and they will assist you in downloading an additional browser.

What else can we do to protect ourselves?

UMass Lowell IT recommends all users refrain from using Internet Explorer at home or at work until an approved patch has been applied. UMass Lowell IT will see that the patch is applied for all Windows systems on Active Directory. You should take the necessary steps to apply the approved patch one it becomes available on all other personally owned Widows devices.

Donít be lured by Phishing

This particular vulnerability is exploited by visiting nefarious and fraudulent web sites. Remember never, ever click on any link or open any attachment that is sent to you via email unless you know the individual or entity and were expecting the message and the attachment or link.

What if I have a question?

Contact the Help Desk at 978-934-HELP.
If you have additional security concerns, please email itsecurity@uml.edu
WHEN           April 7, 2014, ongoing

WHAT     On Monday, April 7, 2014, the OpenSSL Project announced a serious vulnerability in OpenSSL, called Heartbleed, that can expose data on systems running OpenSSL.

OpenSSL is one of the most popular data encryption tools for Web traffic, and as a result, the effects of this vulnerability are wide-ranging.
OpenSSL has released a fix for Heartbleed, included in version 1.0.1g. Server administrators using OpenSSL should update their version immediately either through OpenSSL or their applicable vendor.
WHO IS        Server Administrators, General Public

NEXT STEPS We recommend that Campus Server Administrators:

1. Update OpenSSL through OpenSSL or your vendor.

A list of vendors and their current status is available through US-CERT:

OpenSSL updates are available through their source page:

2.    Generate a new private key for a new SSL certificate.
3.    Install a new SSL certificate with the new key.
4.    (As applicable) Notify users when service(s) is/are no longer vulnerable.
                    We recommend that students, faculty, and staff:
1. Do not change any passwords to UMass Central IT services until you receive notice later this week that all IT services have been patched. If you have already changed your password, you will need to change it again after UMass IT confirms that all services have been patched.
                                          For any non-UMass IT services: 
1. Do not change your passwords or transmit data to secure Web sites or services that you normally use until you have received an official announcement from them regarding a security update.
2. After you've confirmed that the site or service has installed a security update, change your passwords.
3. For at least the next week, monitor your sensitive online accounts (banking, email) for suspicious activity.
RELATED     OpenSSL Security Advisory:
CONTENT     http://www.openssl.org/news/secadv_20140407.txt                      

                    OpenSSL Updates:

                    Codenomicon Summary:

                    US-CERT Vulnerability Note:

About this Archive

This page is an archive of entries from April 2014 listed from newest to oldest.

March 2014 is the previous archive.

June 2014 is the next archive.

Find recent content on the main index or look in the archives to find all content.