DigiCert Blog

All posts under: Vulnerabilities

  1. FREAK Attack: What You Need to Know

    Currently known as ‘FREAK,’ this vulnerability (CVE-2015-0204) allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography. This export-grade cryptography includes out-of-date encryption key lengths that can then easily be decrypted. This vulnerability does not effect on SSL Certificates and does not require any action related to…


  2. Superfish-like Behavior Found Again with Komodia and PrivDog

    Since last week’s Superfish revelation, researchers have unveiled additional adware and security applications that also subvert HTTPS and our system of online trust. Komodia/Lavasoft Komodia is an SSL interception module for Windows that is installing a self-signed CA root certificate onto local operating system root stores. Compounding matters, Komodia uses duplicate digital certificates across all…


  3. Lenovo’s Superfish Adware and the Perils of Self-Signed Certificates

    Late last night, reports started coming out that Lenovo was shipping PCs with man-in-the-middle adware that breaks HTTPS connections. Lenovo, like most manufacturers, ships its PCs with pre-installed software. In this case, the software is Superfish, which inserts visual advertisements into web pages such as Google search results. And while this pre-installed adware is annoying…


  4. OpenSSL Patches Security Vulnerabilities

    SSL Announcement

    Early this morning, OpenSSL released four patches for new security vulnerabilities found in OpenSSL versions 1.0.1 and 0.9.8. These patches fix a total of eight vulnerabilities, two of which are rated moderate and the others are considered low risk. According to the OpenSSL advisory, none of the vulnerabilities allow for remote code execution; however, the…


  5. Patch Tuesday: WinShock Vulnerability

    Today, as part of Microsoft’s Patch Tuesday, a vulnerability was announced that could allow remote code execution on a large number of Windows platforms, including Windows server platforms. Currently known as ‘WinShock,’ this security flaw (MS14-066) is a vulnerability in the Microsoft Secure Channel (Schannel) security package. Administrators are being urged to patch immediately even…