Tag Archives: shellshock

“Poodle” security hole has a nasty bite

poodles

“Poodle” bites on open WiFi networks with multiple users.

A security hole called Poodle could allow hackers to take over your banking and social media accounts.

Yesterday, Google researchers announced the discovery of a security bug in version 3 of the Secure Sockets Layer protocol (SSLv3). This web technology is used to encrypt traffic between a browser and a web site, and can give hackers access to email, banking, social accounts and other services.

Poodle bites multiple users in unsecure open WiFi networks, like the ones you use at coffee shops, cafes, hotels, and airports.

“To exploit the vulnerability, you must be running javascript, and the attacker has to be on the same network as you—for example, on the same Starbucks Wi-Fi network you’re using,” explained Kim Zetter in a WIRED article.

Avast experts strongly recommend that our users protect themselves when using free WiFi with avast! SecureLine VPN.

Poodle is not considered as serious a threat as this past spring’s Heartbleed bug which took advantage of a vulnerability in OpenSSL, and or last month’s Shellshock bug in Unix Bash software.

SSLv3 is an outdated standard (it’s a decade and a half old), but some browsers, like Internet Explorer 6, and older operating systems, like Windows XP, only use the SSLv3 encryption method. Google’s security team recommends that systems administrators turn off support for SSLv3 to avoid the problem, but warns that this change will break some sites.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

Yahoo told to “pull your pants up” after Shellshock hack claims

Yesterday, security researcher Jonathan Hall, of a company called Future South Technologies, accused Yahoo of having suffered a serious security breach via the recently discovered Shellshock vulnerability in Bash.

The post Yahoo told to “pull your pants up” after Shellshock hack claims appeared first on We Live Security.

How to fix Shellshock Bash on Mac OS X: Mavericks edition

Apple Mac OS X users concerned about the Bash vulnerability dubbed Shellshock got some relief late yesterday as Apple published fixes for various versions of OS X. But if you use Mavericks you will need to install 10.9.5 before the Bash fix will work.

The post How to fix Shellshock Bash on Mac OS X: Mavericks edition appeared first on We Live Security.

Shellshock vulnerability: should we be concerned?

We are continually hearing about bugs and vulnerabilities that could potentially be serious. The latest one named ShellShock can potentially be used to remotely take control of almost any system that is using a software component called Bash. This sounds devastating and it course of could be, but don’t start running for the hills or deciding to unplug from the Internet quite yet though.

Bash is a software component that exists on many Linux systems including Apple’s Mac OSX. As Linux is the operating system used on a large number of the web servers, a bug like this could mean cybercriminals have the potential to exploit the vulnerability and cause harm to users of the web server or indeed to the company whose web server it is. They do this by inserting malware on the server that could potentially collect data, cracks passwords or do something particularly malicious.

At the time of writing this blog there is already a large number of patches available that address this vulnerability for servers and reputable companies have teams in place that watch for these alerts and update their servers to protect them and the users of the services they offer. A good example is our own security team here at AVG who immediately ran an audit to see if we had any servers that may have this vulnerability, and they have already confirmed that our servers are safe.

 

If you are a Mac user should you be concerned and what do you need to do?

Apple has, as expected, reacted quickly and is releasing an automatic update to OSX that users will be prompted to install. They have also made it clear that the issue does not affect the majority and is an issue for power users that take advantage of the advanced UNIX services within OSX. If the previous sentence has baffled you then you are in the group that Apple say are not at risk.

Even as a power user at home you are likely to be sitting behind a firewall that would detect someone trying to execute commands on your machine and they would be blocked. However bad guys may well try and trick users to into installing files that could leave them more vulnerable to attack, a good rule is to not click something that you don’t recognize and remember the update will only come directly from Apple. When you see the update appear through on your Mac, install it immediately so that you stay safe.

There are also other devices in our homes that run Linux. Many of the routers and broadband modems we use to connect to the Internet also utilize Linux as an operating system and because of this we recommend you watch for updates from those vendors and take the action to install them. If your router is provided by your ISP then they should push the update to the router automatically.

It is good practice to allow the automatic updates on your devices so that they are maintained by the manufacturer of the device to protect you from issues like this. Having up to date anti-virus software installed and active is also of paramount importance in today’s environment where more of our data than ever before is held by us on our devices. The protection provided will detect and block an exploit such as this where cybercriminals attempt to install malware on your machine. AVG’s Free Antivirus is available for Mac and PC users and can be downloaded from www.avg.com