Time-Sensitive Security Alerts
These are alerts regarding security updates, vulnerabilities, or other conditions that require immediate action by Stanford community members.
SSL version3.0 Vulnerability - aka POODLE
A flaw was found in version 3 of the SSL protocol. The vulnerability known as Poodle (Padding Oracle On Downgraded Legacy Encryption) allows attackers to decrypt data that you may have thought was being transmitted over a secure HTTPS / SSL connection. ISO recommends that all web servers be configured not to negociate a SSLv3 connection.
More details can be read here
Critical updates for Apple OS X
Apple has released patches for Mac OS X 10.7, 10.8 and 10.9 that address a critical security vulnerability that was first announced February 21, 2014 and which could allow an attacker to capture or modify data exchanged over a secure connection, such as financial transactions in a web browser. Security researchers have demonstrated that this vulnerability can be exploited, and that data can in fact be stolen from encrypted web sessions.
Stanford's Information Security Office recommends that you update your Mac systems as soon as possible to protect your personal privacy and security, as well as to protect the University's data.
These updates will be automatically installed by Stanford's BigFix service on any managed Mac system that has not been updated by April 4, 2014, and you will be prompted to reboot at your earliest convenience to complete the update.
If your Mac is not managed with BigFix or if you would like to apply the update earlier, you should select "Software Update" from the Apple menu, install all system updates, and restart your computer.
Users of Mac OS X 10.9 will need to upgrade to Mac OS X 10.9.2. Users of Mac OS X 10.7 or 10.8 will only need to install Security Update 2014-001, but should take the opportunity to install all available updates.
Critical updates for Apple iOS devices
Apple released information about a vulnerability in iOS in February wherein an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. This vulnerability is described in detail at the National Vulnerability Database and has received significant media coverage. The Information Security Office recommends that you update software on affected devices as soon as possible.
- Back up your device prior to updating.
- If you have an iPhone 4 and later, iPod touch (5th generation), iPad 2 or later, please upgrade to iOS 7.0.6. Apple does not support updating a device that is eligible for iOS 7 to iOS 6.1.6.
- If you have an iPhone 3GS or iPod touch (4th generation), please update to iOS 6.1.6.
- Update by opening your Settings app, navigating to the General tab, and selecting Software Update.
By performing this update you will help protect your personal privacy and security as you conduct business on-line, and you will also help protect the University's data.
Compliance deadlines for Stanford computers
Stanford's Vice President of Business Affairs recently announced a mandate for new minimum security requirements that include encryption of all computers and migration away from Windows XP. If you have a computer that cannot comply with the new requirements, you can request a compliance exception.