unpatched MS Windows 8.1 vulnerable to Openssl 'Heartbleed'
I run a windows machine at home, and had a security update to install. Reading MS's notes on the upgrade [0] [1], I was surprised to see that it is a patch for Openssl, which is used in a Junos VPN client [2] that is embedded in installation of Windows 8.1. I wonder how many other VPN endpoints there are out there, still running vulnerable versions of openssl. [0] http://support.microsoft.com/kb/2964757 [1] https://technet.microsoft.com/library/security/2962393 [2] http://www.juniper.net/techpubs/en_US/junos-pulse5.0/information-products/pa...
On 08/05/14 21:43, Andrew Spiers wrote:
I run a windows machine at home, and had a security update to install. Reading MS's notes on the upgrade [0] [1], I was surprised to see that it is a patch for Openssl, which is used in a Junos VPN client [2] that is embedded in installation of Windows 8.1.
I wonder how many other VPN endpoints there are out there, still running vulnerable versions of openssl.
That's only vulnerable if you connect to a malicious VPN endpoint, who could then read traffic (which it can anyway) or the session key (possibly a user key, depends on how auth is configured).
participants (2)
-
Andrew Spiers -
Julien Goodwin