Vendors and admins rush to patch OpenSSL vulnerability
Since news of the OpenSSL bug started to spread on Monday, administrators and vendors have made a mad scramble to patch the Heartbleed bug.
CSO - Since news of the OpenSSL bug started to spread on Monday, administrators and vendors have made a mad scramble to patch the Heartbleed bug, named for the flawed implementation of the heartbeat option in the cryptographic library.
On Monday, three researchers from Codenomicon and Neel Mehta (a Google staffer focused on security) detailed the flaw and the various problems it will create.
In short, the flaw allows anyone, anywhere on the Internet, to read the memory of systems implementing the vulnerable versions of OpenSSL in 64kb chunks. Doing so allows them to access information such as secret keys, usernames and passwords, and in some cases, content itself that would normally be protected.
Moreover, there is no limit to the number of 64kb chunks of memory that are accessed, so the attacker can repeat the process as many times as they wish until they get the information they're after.
OpenSSL is used by millions of websites, so the flaw impacts almost everyone. Those not impacted by this two year-old bug are immune either because their websites don't support SSL or they're using outdated versions of OpenSSL; and both options are a problem on their own.
Dwayne Melancon, CTO of Tripwire, told CSO Online that the potential impact for Heartbleed is huge.
"Open SSL is a widely used technology for secure communication over the Internet. In general, that means it was implemented to protect secure data and communications to prevent unauthorized access to information. This vulnerability means attackers can gain access to information, transactions, and other sensitive or valuable data with little restriction - it is very serious."
The flaw has existed for two-years, and there are a number of mitigating factors that would leave website immune to this problem.
At last check, 48 of the Alexia Top 1,000 were vulnerable to Heartbleed issue. Then again, of the 952 domains not vulnerable, 512 of them are safe because they don't support SSL. The other 448 domains listed as not vulnerable are either patched, don't allow the heartbeat option, or they are using an older implementation of OpenSSL.
Those with outdated installs are exposing the website and its users to a number of other potential risks, so the advice from experts is to update to the current version - Heartbleed vulnerability or not.
"The important thing to do is take a breath, update your system, and revoke your current SSL Keys and issue new ones. Patching systems is the easy part here - several major vendors, RedHat and Ubuntu included, have already issued updates to their package management systems," Tripwire's Tyler Reguly said.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Malware and Vulnerabilities White Papers | Webcasts