IE, OAuth 2.0 and OpenID Vulnerabilities
May 5, 2014
 
SECURITY UPDATE:  Christian Community Credit Union Not Affected by Internet Explorer, OAuth 2.0 and OpenID
(Covert Redirect) Vulnerabilities

You may have recently heard on the news that Microsoft has confirmed a vulnerability in Internet Explorer (IE) versions 6-11. In addition, a vulnerability was also found in OAuth 2.0 ("Covert Redirect") and has been receiving significant attention from the press. This vulnerability has been known for some time, but this fresh round of attention could make attacks more common.
 
Christian Community Credit Union’s Online, mobile and app banking are all secure and are not affected by Internet Explorer, 0Auth 2.0 and OpenID ("Covert Redirect”) vulnerabilities. Below is additional information about these vulnerabilities:
 
Internet Explorer Vulnerability
 
How is Internet Explorer vulnerability exploited?
An attack could be triggered by luring visitors to a specially crafted web page (much like a phishing attack). In other words, a user needs to visit a malicious page to be attacked.           
Technical Information
The attack leverages a previously unknown "use after free" vulnerability -- data corruption that occurs after memory has been released -- and bypasses both Windows DEP (data execution prevention) and ASLR (address space layout randomization) protections.
Where can I find more information about IE vulnerability?
Please click here.

Is there a patch for the IE vulnerability?
Microsoft has issued a patch for this vulnerability but some antivirus companies, such as Symantec, already have signatures to protect against this new threat. Microsoft also states that versions of the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and above - a free Microsoft tool - can mitigate this vulnerability in Internet Explorer. This toolkit can be downloaded at
 


OAuth 2.0 and OpenID "Covert Redirect” Vulnerability’
 
How is this vulnerability exploited?
OAuth 2.0 and OpenID allows users to login to access other sites and services using credentials from a site such as Facebook, Google, or Amazon. Using this vulnerability, an attacker can trick a user into thinking he or she is signing in via Facebook or Google and then redirect them to a malicious website. Depending on the level of access granted, it can expose a user's personal information, contacts, friends list, or in the case of Google Apps, stored data.
 
Where can I find more information about this?

Is there anything I need to know anything about this vulnerability?
Christian Community Credit Union’s partner for online, mobile and app banking do not use OAuth 2.0 and OpenID and are not impacted by this vulnerability. However, as a general rule, members should be careful when a site, email link or application asks them to connect via Facebook, Twitter, Google, or other sites that use OAuth 2.0 and OpenID. If a user suddenly gets an unexpected request for social-login information, that's the time to be wary.

   

 

© Copyright 2015, Christian Community Credit Union. All rights reserved.