4 IT Security Stories to Watch: Covert Redirect, IE Vulnerabilities

This week's top IT security stories for managed service providers (MSPs) include news about the Covert Redirect, Microsoft (MSFT) Internet Explorer (IE) web browser and Heartbleed security flaws. Here's a complete breakdown of this week's IT security news for MSPs.

Dan Kobialka, Contributing writer

May 5, 2014

4 Min Read
The quotCovert Redirectquot Microsoft MSFT Internet Explorer IE Web browser and Heartbleed security vulnerabilities are three of the top stories for
The "Covert Redirect," Microsoft (MSFT) Internet Explorer (IE) Web browser and Heartbleed security vulnerabilities are three of the top stories for MSPs to watch this week.

Many managed service providers (MSPs) were busy last week – Microsoft (MSFT) fixed the Internet Explorer (IE) Web browser zero-day vulnerability identified by FireEye Research Labs and a new problem, Covert Redirect was hitting the news on Monday morning. Here’s a look at what you need to know in IT security today.

The recent discovery of several new security flaws have put many users on edge. Expect more news this week about OAuth 2.0, OpenID and Heartbleed exploits.

Here’s a look at four stories for MSPs to watch this week:

1. The “Covert Redirect” vulnerability
As Microsoft released a patch for the IE zero-day exploit, news about the “Covert Redirect” vulnerability broke. The Covert Redirect security flaw reportedly affects OAuth 2.0 and OpenID customers, including Google (GOOG), Facebook (FB) and LinkedIn (LNKD).

A dedicated Covert Redirect website has already been launched and provides details about the security bug and its impact:

“For OAuth 2.0, these attacks might jeopardize ‘the token’ of the site users, which could be used to access user information … For OpenID, the attackers may get [a] user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved.”

Wang Jing, a PhD student at Singapore’s Nanyang Technological University, discovered the security vulnerability and even posted a YouTube video about it. Jing said it could be difficult for organizations to patch the bug.

“The patch of this vulnerability is easier said than done,” Jing wrote in a blog post. “If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.”

2. “Operation Clandestine Fox” and the IE security flaw
Microsoft patched the IE security flaw last week, but how long will it take MSPs and other organizations to fully recover from “Operation Clandestine Fox”? It’s still unknown how seriously this zero-day exploit affected IE users across the globe.

“The security of our products is something we take incredibly seriously, so the news coverage of the last few days about a vulnerability in Internet Explorer (IE) has been tough for our customers and for us,” Adrienne Hall, Microsoft’s general manager of trustworthy computing, wrote in a May 1 blog post.

On May 1, Microsoft released a security patch for IE users. The company rated the fix as “critical” and noted IE users who are signed up for automatic updates would receive the security protections automatically.

3. Details about the Heartbleed security flaw
More details are now available about Heartbleed, the OpenSSL security flaw that threatened MSPs’ customer data last month. Pew Research Center’s Internet and American Life Project last week reported 60 percent of adults have heard about Heartbleed.

Other key findings from Pew Research Center included:

  • 39 percent of Internet users said that after they learned of the online security problems caused by Heartbleed, they took steps to protect their online accounts by changing their passwords or canceling their accounts.

  • 29 percent of Internet users believed their personal information was put at risk because of Heartbleed.

  • 6 percent of Internet users said they believed their personal information was stolen due to Heartbleed.

Sucuri Security said most websites have already fixed Heartbleed, but more details about the OpenSSL security flaw are likely to become available soon.

4. Kaspersky Lab C-level executive shakeup continues
Five Kaspersky Lab C-level executives have left the company in the past month. Nikolay Grebennikov and Steve Orenberg, Kaspersky Lab’s chief technology officer and its president of Kaspersky Lab North America, respectively, were two of the longtime executives to leave the company.

Kaspersky Lab spokesperson Alejandro Arango told Reuters that Grebennikov and Orenberg left by mutual agreement with the company. However, Kaspersky said he disagreed with Orenberg “about business strategy.”

Orenberg, meanwhile, told Reuters this about his exit:

“There was a difference of opinion. We basically very politely agreed to disagree on what we needed to do. It made sense for me to make an exit, and the company needed to do what it needed to do.”

Kaspersky has lofty goals for 2014 and recently announced several new business strategies, planned solutions and security technologies. As the world’s largest privately held vendor of endpoint protection solutions, Kaspersky will continue to search for ways to extend its reach in the enterprise IT security market, despite its C-level leadership changes.

What do you think will be the biggest IT security stories for MSPs this week? Share your thoughts in the Comments section below, via Twitter @dkobialka or email me at [email protected].

About the Author

Dan Kobialka

Contributing writer, Penton Technology

Dan Kobialka is a contributing writer for MSPmentor and Talkin' Cloud. In the past, he has produced content for numerous print and online publications, including the Boston Business Journal, Boston Herald and Patch.com. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State College (now Bridgewater State University). In his free time, Kobialka enjoys jogging, traveling, playing sports, touring breweries and watching football (Go Patriots!).  

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like