Vendors and admins rush to patch OpenSSL vulnerability
Since news of the OpenSSL bug started to spread on Monday, administrators and vendors have made a mad scramble to patch the Heartbleed bug.
CSO - Since news of the OpenSSL bug started to spread on Monday, administrators and vendors have made a mad scramble to patch the Heartbleed bug, named for the flawed implementation of the heartbeat option in the cryptographic library.
On Monday, three researchers from Codenomicon and Neel Mehta (a Google staffer focused on security) detailed the flaw and the various problems it will create.
In short, the flaw allows anyone, anywhere on the Internet, to read the memory of systems implementing the vulnerable versions of OpenSSL in 64kb chunks. Doing so allows them to access information such as secret keys, usernames and passwords, and in some cases, content itself that would normally be protected.
Moreover, there is no limit to the number of 64kb chunks of memory that are accessed, so the attacker can repeat the process as many times as they wish until they get the information they're after.
OpenSSL is used by millions of websites, so the flaw impacts almost everyone. Those not impacted by this two year-old bug are immune either because their websites don't support SSL or they're using outdated versions of OpenSSL; and both options are a problem on their own.
Dwayne Melancon, CTO of Tripwire, told CSO Online that the potential impact for Heartbleed is huge.
"Open SSL is a widely used technology for secure communication over the Internet. In general, that means it was implemented to protect secure data and communications to prevent unauthorized access to information. This vulnerability means attackers can gain access to information, transactions, and other sensitive or valuable data with little restriction - it is very serious."
The flaw has existed for two-years, and there are a number of mitigating factors that would leave website immune to this problem.
At last check, 48 of the Alexia Top 1,000 were vulnerable to Heartbleed issue. Then again, of the 952 domains not vulnerable, 512 of them are safe because they don't support SSL. The other 448 domains listed as not vulnerable are either patched, don't allow the heartbeat option, or they are using an older implementation of OpenSSL.
Those with outdated installs are exposing the website and its users to a number of other potential risks, so the advice from experts is to update to the current version - Heartbleed vulnerability or not.
"The important thing to do is take a breath, update your system, and revoke your current SSL Keys and issue new ones. Patching systems is the easy part here - several major vendors, RedHat and Ubuntu included, have already issued updates to their package management systems," Tripwire's Tyler Reguly said.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Improving IT Efficiencies: Four Advantages of Multi-Tenant Data Centers Increasing demands on IT are forcing organizations to rethink their data center options. For many organizations, that means turning to the flexibility afforded...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts