Security Announcement: Update your Browser

AGUK wishes to draw to your immediate attention that this week (21 March 2011) there was a potential security breach in the trust of SSL certificates.

SSL certificates are issued by Certificate Authorities (CAs). The CA is responsible for ensuring the certificate is issued correctly and in accordance with industry standards.

When using a website where you provide sensitive information or login details you are protected by SSL technology. This technology encrypts the connection between you and the server. It also asserts that you are connected to a legitimate website.

Comodo, the CA who issued the suspect certificates via a partner, released information on 24 March 2011 that several certificates had been issued to a fraudulent organisation, potentially based in Iran. This means that the attacker could direct you to one of these sites and successfully pass off that site with a valid SSL certificate.

The affected websites are listed below:

  • mail.google.com
  • www.google.com
  • login.live.com
  • addons.mozilla.org
  • login.skype.com
  • login.yahoo.com
Because of the risk associated with these links the major browser vendors have issued an update to hard-block access to them if they are using one of the fraudulently obtained SSL certificates. Access to legitimate websites will be unaffected.

Google Apps Customers
You can see that some of the affected websites include the Google links associated with your Google Apps account. It is therefore extremely important that you update your browser as soon as possible.

Updating Your Browser
In most cases your browser may have already automatically updated itself. Internet Explorer updates via Windows Update, the frequency dependant upon individual PC settings. Both Chrome and FireFox can verify if they are running the latest version via the Help menu.

The latest versions can be downloaded from the links below:

If you use an alternative browser please contact its manufacturer for support and information about any updates it has supplied to counter this threat.

Update your Anti Virus
Make sure your anti-virus software is up to date. Anti-Virus solutions such as PrevX can help provide zero-hour protection against threats such as these. This particular solution can now be supplied by AGUK as one of its newly added services.

Questions or Concerns
If you have any questions or concerns about this update please post your comments below so they can be shared. If you would prefer private support please email [email protected].

Further Reading
If you are interested in the more technical aspects of this issue please click here for information provided by Symantec.

 

Internet Explorer Security Update

This is a follow up to our article on the Internet Explorer Security Scare sent earlier this week. Microsoft has now released a security patch to fix its weakness. Depending on your system’s update settings, this should have been downloaded by Windows. However, to check and ensure you have the patch installed, here is AGUK’s advice.

INTERNET EXPLORER LATEST UPDATE
Windows XP Users: Go to Windows Update website and follow the steps given.

Windows Vista and Windows 7 Users: Click Start and in the search box type "Windows Update" then press Enter.

In either case you will see the critical updates available. If none are displayed then your system is up to date.

FUTURE SECURITY PRECAUTION
If your computer is not set to receive automatic updates then I recommend you immediately rectify this. It is crucial for any system to automatically download and install updates daily. For more information about how to do this please click here (Microsoft Website).

CURRENT SECURITY STATUS
After you have installed this latest patch from Microsoft you can, if you wish, adjust Internet Explorer and change your browsing security from High security to Medium-High. Alternatively leave the Internet zone setting at High and instead add any trusted sites not displaying correctly at this level to your “Trusted sites” section. To do this take the following action:

Windows XP Users: Click Start > Run and type inetcpl.cpl then press Enter.

Windows Vista and Windows 7 Users: Click Start and in the search box type inetcpl.cpl then press Enter.

In either case then click the Security tab and select the “Trusted sites” zone as per the diagram below.

Diagram of required steps to take. 

FINAL SAFEGUARD
AGUK recommends you maintain up-to-date AntiVirus software and never open email attachments, or follow links in emails to unknown websites. Also, whenever you receive an update or security patch, ensure your system is set to restart automatically after installing it, or do this manually. This will ensure immediate effect of the update.

 

Internet Explorer Security Scare

You may have seen, or heard, news coverage about a significant security problem with Windows Internet Explorer. Following Microsoft’s admission that Internet Explorer was used to hack Google the German Government warned against using Internet Explorer. Now France has issued a similar warning.

INTERNET EXPLORER SCARE
Internet Explorer is the web browsing software used by many to access the internet. If you use this browser, the current flaw allows exploiting hackers to access files on your computer, to log keystrokes made, and to redirect you to specific websites. However, the advice from AGUK is not to panic but be cautious. 

To take any such advantage of a compromised system, a hacker must get you to either visit a specific website, or install a browser add-on. Depending on your security settings, this add-on (unlike software browser add-ons known as ActiveX controls) can be installed without you knowing. It is also undetected by current anti-virus software.

AGUK’s Security Action Plan
If you do not know which type of browser you are using click here and visit our browser test page. If you are using Internet Explorer there are steps you can take to reduce the risk of falling victim to Internet Explorer’s browsing weakness.

(1) Alternative Browser
You could install and use an alternative web browser. AGUK recommends Google Chrome. This lightweight browser is faster than Internet Explorer and is growing in popularity. This would not necessitate the removal of Internet Explorer.

(2) Run Internet Explorer in Safe Mode with add-ons disabled
It is possible to run Internet Explorer with all add-ons disabled. This will help prevent your browser being susceptible to this latest attack. The simplest way to do this is by creating a shortcut on your desktop. Here’s how:

Close down all open programs and on your desktop right click on your mouse and select: [New > Shortcut]. Then in the box labelled "Type the location of the item” paste the following text exactly, including the quotes:

“%ProgramFiles%\Internet Explorer\iexplore.exe” –extoff

After you have done that click [Next] and then [Finish]. A new shortcut will now be on your desktop called iexplore.exe. When you use this shortcut you will see that Internet Explorer is launched with all add-ons and ActiveX controls disabled.  In this mode it is possible some websites will not display correctly, but this is the sacrifice you must pay until the security hole is closed by Microsoft.

(3) Enable High Security level in Internet Explorer
It is recommended you follow this process in conjunction with option 2 above.

Windows XP Users: Click Start > Run and type inetcpl.cpl then press Enter.

Windows Vista and Windows 7 Users: Click Start and in the search box type inetcpl.cpl then press Enter.

You should now see the Internet Properties window. Click on the Security tab, select Internet from the zones and then move the slider to High as per the image below. Make sure you click OK once you have changed these settings.

If you have any questions or concerns about this issue please let us know in the comments.