There's several really important updates released today, but this TLS bug patch is extremely critical.
It's absolutely, must patch now, for anyone running a server exposed to the Internet. However it's also a serious problem for workstation versions of Windows because apparently a malicious site running SSL could exploit this to gain full access to your PC (a total drive-by attack with no defense).
No excuse to wait. Update now.
http://arstechnica.com/security/2014/11 ... patch-now/
Potentially catastrophic bug bites all versions of Windows. Patch now!
-
FlyingPenguin
- Flightless Bird
- Posts: 32782
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Potentially catastrophic bug bites all versions of Windows. Patch now!
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
-
Executioner
- Life Member
- Posts: 10140
- Joined: Wed Nov 22, 2000 11:34 am
- Location: Woodland, CA USA
-
FlyingPenguin
- Flightless Bird
- Posts: 32782
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
BTW: I've asked Steve Gibson to confirm that I'm reading this right, but this is a flaw in the SSL/TLS protocol in the Windows kernel. As such, I believe it would affect ANY browser (not just IE). It would actually affect ANY application using SSL/TLS, like email (if you connect to a POP3 server that uses SSL), a VPN, etc.
As such, this is the kiss of death for WinXP once the bright hackers out there figure out how to reverse engineer it.
The only hope would be if you install the Windows XP Embedded POS registry hack, and that's one of the updates included for WinXP Embedded (it should be).
I have hesitated to recommend that hack because it might break something someday, but it still works and so far no one has reported any problems with it.
Just for grins I'm going to install the hack on my WinXP workbench PC (all I use it for is to recover data from dead hard drives) and see if that update (KB2992611) is available via Windows Update on it.
I'll let you all know.
As such, this is the kiss of death for WinXP once the bright hackers out there figure out how to reverse engineer it.
The only hope would be if you install the Windows XP Embedded POS registry hack, and that's one of the updates included for WinXP Embedded (it should be).
I have hesitated to recommend that hack because it might break something someday, but it still works and so far no one has reported any problems with it.
Just for grins I'm going to install the hack on my WinXP workbench PC (all I use it for is to recover data from dead hard drives) and see if that update (KB2992611) is available via Windows Update on it.
I'll let you all know.
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
-
FlyingPenguin
- Flightless Bird
- Posts: 32782
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Yup, it's there. I just installed the registry hack, and turned Automatic Updates back on (notify only, not install automatically). Waited a few minutes and the little Windows Update icon appeared in the task bar with several dozen new updates for "POSReady" which is the name of WinXP embedded that the hack makes Windows XP emulate.
Scrolled down through the list and found KB2992611, which is the patch for this SSL/TLS bug. Here's a screenshot:
I just selected that one update and installed it. This is my workbench PC and is used only for recovering data off hard drives, and imaging drives. I occasionally use it to browse for technical info when working on a problem with a PC (using Firefox) so I figure I should have this patch, but I don't care about any other updates.
Scrolled down through the list and found KB2992611, which is the patch for this SSL/TLS bug. Here's a screenshot:
I just selected that one update and installed it. This is my workbench PC and is used only for recovering data off hard drives, and imaging drives. I occasionally use it to browse for technical info when working on a problem with a PC (using Firefox) so I figure I should have this patch, but I don't care about any other updates.
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
-
FlyingPenguin
- Flightless Bird
- Posts: 32782
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
For those that want to install the registry hack, instructions here:
http://www.pcworld.com/article/2310301/ ... lling.html
For those of you without technical skills (or plain lazy) here's a link to download a registry file from my FTP server. Just extract it from the Zip file and double click the file it contains ( XPEMBEDDED.REG ). Reboot not required, but I did it anyway. Make sure you turn automatic updates back on (on manual if you just want to pick and choose).
I make no promises this won't cause problems somewhere down the road, and Microsoft warns that these updates may not be compatible with other flavors of XP, but people have been using this for a year and getting updates with no problems. Also Microsoft has not blocked this in their Windows Update server, which they could easily do, so I suspect this is their way of kindly allowing people in the know to do this - at least for now. Nothing to lose anyway since XP has a bullet in the head without this patch.
If you want to play safe and not risk problems with other updates, then the only patch you really need is KB2992611. Just don't use Internet Explorer EVER on an XP machine, and you'll be fine... until the next major bug appears.
Link to registry hack: http://soldcentralfl.com/bob/tools/XPEmbedded.zip
NOTE: Your Anti-Virus may try to keep you from installing this as it does modify your registry, and thus will appear as a potential threat. You may need to temporarily disable your AV (AVAST didn't give me any problems on my PC).
http://www.pcworld.com/article/2310301/ ... lling.html
For those of you without technical skills (or plain lazy) here's a link to download a registry file from my FTP server. Just extract it from the Zip file and double click the file it contains ( XPEMBEDDED.REG ). Reboot not required, but I did it anyway. Make sure you turn automatic updates back on (on manual if you just want to pick and choose).
I make no promises this won't cause problems somewhere down the road, and Microsoft warns that these updates may not be compatible with other flavors of XP, but people have been using this for a year and getting updates with no problems. Also Microsoft has not blocked this in their Windows Update server, which they could easily do, so I suspect this is their way of kindly allowing people in the know to do this - at least for now. Nothing to lose anyway since XP has a bullet in the head without this patch.
If you want to play safe and not risk problems with other updates, then the only patch you really need is KB2992611. Just don't use Internet Explorer EVER on an XP machine, and you'll be fine... until the next major bug appears.
Link to registry hack: http://soldcentralfl.com/bob/tools/XPEmbedded.zip
NOTE: Your Anti-Virus may try to keep you from installing this as it does modify your registry, and thus will appear as a potential threat. You may need to temporarily disable your AV (AVAST didn't give me any problems on my PC).
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
-
Executioner
- Life Member
- Posts: 10140
- Joined: Wed Nov 22, 2000 11:34 am
- Location: Woodland, CA USA