Today Microsoft announced a new vulnerability which applies to all current versions of Internet Explorer 6,7,8,9,10, and 11.

Windows Server 2003, 2008, and 2012 are vulnerabile if Enhanced Security Configuration is turned off.  Out of the box these operating systems are not vulnerable.

Windows XP, Vista, 7, and 8/8.1 users are urged to discontinue use of Internet Explorer until a patch is released (or in the case of XP users – discontinue use of Internet Explorer altogether since no patch will be released).

More information and modifications that can be made to your configuration to make it less vulnerable until a patch can be released is available from Microsoft.

Source: US-CERT

Heartbleed (CVE-2014-0160) is a bug that was recently detected in OpenSSL’s implementation of the TLS/DTLS heartbeat extension.  The bug allows an attacker to expose the memory contents of the server to the client, and vice versa.

OpenSSL is a library that is used by many applications and Internet sites to provide cryptographic services.  It is used by VPNs, Websites, and even some applications.

In a worst case scenario, it could be possible for a site’s private cryptographic key to be exposed to an attacker.  The attacker could then utilize this key to perfom a man in the middle attack (effectively the attacker could pose as the site and trick users into communicating confidential information to the attacker rather than the intended recipient).  For a simple illustration of how the exploit works, have a look at this web comic by xkcd.

Because exploiting the bug does not leave any trace, there is no way of knowing what sites if any have been compromised.  As such, the general recommendation to end users is to change all of your passwords immediately.

Password management website LastPass has put together a tool you can use to check if your favorite site was affected by Heartbleed.  You can access it here.

Business that run secure websites and/or VPN’s should examine their systems and determine if it is necessary to reissue cryptographic keys.  Affected versions of OpenSSL are as follows:

OpenSSL 1.0.1 through 1.0.1f are vulnerable.
OpenSSL 1.0.1g is NOT vulnerable.
OpenSSL 1.0.0 and earlier are NOT vulnerable.

If you are concerned whether your systems are affected by this bug, please contact us for a consultation and we can advise you on what steps your business needs to take.

As of April 8, 2014 Microsoft is no longer supporting Windows XP Service Pack 3.   Here are a few of the more common questions we get regarding end of support for Windows XP.

What exactly does “no longer supporting” mean in this case?

It means that Microsoft is no longer releasing security updates for the operating system.  Existing updates will remain available on Windows Update.

What about Microsoft Security Essentials for XP?

Security Essentials is no longer available for download as of April 8th, however if you already have Security Essentials installed it will continue to recieve updates through July of 2015.

Can I upgrade to Vista, Windows 7, or Windows 8?

That depends on your computer.  The system requirements for Windows 7 are essentially a 1ghz CPU, and 1GB of RAM.  As a practical matter however, most computers more than 5 years old will not provide reasonable performance with newer versions of Windows.    Furthermore, the only supported in place upgrade from XP is to Windows Vista.  Windows 7 and Windows 8 will require a reinstall of the operating system, and other applications on your PC.  Windows Vista is no longer being sold, so unless your computer came with a Vista upgrade disc, your only options will be Windows 7 or Windows 8.

Do I need to purchase a new computer or upgrade?

Again, this depends on your individual situation.  Most Home users can continue to use XP for the moment, though we highly recommend planning to either replace the PC, or if  possible upgrade to Windows 7/8 in the near future.  It is however, highly recommended that you maintain a current backup of your computer, and ensure you have up to date antivirus software installed.

As a business user, we recommend replacement or upgrading as soon as possible.  In a multi computer networked environment, having a single vulnerable computer could be catastrophic when a new exploit is released.

Will you continue to support customers with Windows XP machines?

Yes.  We will continue to offer support to customers with any version of Windows.  However, please understand that without support from Microsoft there is a reduced amount of tools available for troubleshooting and correcting problems with Windows XP based computers.

If you would like a personalized evalutation and recommendation on moving away from XP, please feel free to contact us to arrange a consultation.