Microsoft Security Alert: Internet Explorer Browser

A very serious security vulnerability has been identified with Microsoft Internet Explorer browsers that could severely impact systems. The vulnerability was classified as a zero-day exploit as there are presently no available patches to address the security flaw. Microsoft is aware of the vulnerability and has released a security advisory to track this issue. Threat actors are actively using this exploit. This is a significant zero-day exploit as the vulnerable versions represent about a quarter of the total browser market. All versions of Microsoft Internet Explorer appear to be vulnerable. UMass Lowell Information Technology (IT) is monitoring the network for signs of this particular exploit. In the meantime, we strongly urge everyone to use other Internet browsers if possible. Examples of browsers to use are Mozilla Firefox, Apple Safari and Google Chrome. If you do not have a secondary Internet browser on your system, please contact the Help Desk and they will assist you in downloading an additional browser.

What else can we do to protect ourselves?

UMass Lowell IT recommends all users refrain from using Internet Explorer at home or at work until an approved patch has been applied. UMass Lowell IT will see that the patch is applied for all Windows systems on Active Directory. You should take the necessary steps to apply the approved patch one it becomes available on all other personally owned Widows devices.

Don’t be lured by Phishing

This particular vulnerability is exploited by visiting nefarious and fraudulent web sites. Remember never, ever click on any link or open any attachment that is sent to you via email unless you know the individual or entity and were expecting the message and the attachment or link.

What if I have a question?

Contact the Help Desk at 978-934-HELP.

If you have additional security concerns, please email itsecurity@uml.edu

Security Notice: Heartbleed Bug Poses OpenSSL Vulnerability

WHEN April 7, 2014, ongoing
WHAT On Monday, April 7, 2014, the OpenSSL Project announced a serious vulnerability in OpenSSL, called Heartbleed, that can expose data on systems running OpenSSL.
OpenSSL is one of the most popular data encryption tools for Web traffic, and as a result, the effects of this vulnerability are wide-ranging.
OpenSSL has released a fix for Heartbleed, included in version 1.0.1g. Server administrators using OpenSSL should update their version immediately either through OpenSSL or their applicable vendor.
WHO IS Server Administrators, General Public
AFFECTED
NEXT STEPSWe recommend that Campus Server Administrators:
1.Update OpenSSL through OpenSSL or your vendor.
A list of vendors and their current status is available through US-CERT:
OpenSSL updates are available through their source page:
2. Generate a new private key for a new SSL certificate.
3. Install a new SSL certificate with the new key.
4. (As applicable) Notify users when service(s) is/are no longer vulnerable.
We recommend that students, faculty, and staff:
1.Do not change any passwords to UMass Central IT services until you receive notice later this week that all IT services have been patched. If you have already changed your password, you will need to change it again after UMass IT confirms that all services have been patched.
For any non-UMass IT services:
1.Do not change your passwords or transmit data to secure Web sites or services that you normally use until you have received an official announcement from them regarding a security update.
2.After you’ve confirmed that the site or service has installed a security update, change your passwords.
3.For at least the next week, monitor your sensitive online accounts (banking, email) for suspicious activity.
RELATED OpenSSL Security Advisory:
OpenSSL Updates:
Codenomicon Summary:
US-CERT Vulnerability Note: