If a ‘Heartbleed bug’ sounds like it would be bad news for your body’s system, in reality it’s even worse for your computer’s. This vulnerability is big, and it’s probably affecting you, right now.
What’s the crack?
Yesterday the OpenSSL Project spoke about the recently discovered CVE-2014-0160 vulnerability. Approximately 60% of websites use OpenSSL, but this doesn’t mean that all of these necessarily use the vulnerable versions, so the actual number of affected sites is likely to be much smaller.
And in English…
Put simply, Heartbleed is a security vulnerability in the popular OpenSSL, which is a type of encryption software used to secure highly sensitive data like passwords and other important things (you’ve probably seen it represented as the padlock in the address bar of your browser). It allows attackers to see sensitive, encrypted data if it’s on a vulnerable site. They don’t leave a trace and can then use this data to impersonate users of the site.
Researchers from Google and security group Condenomicon discovered the issue, and since then there has been a rush to update software and protect users’ data. And, not to be all doom and gloom, but unfortunately some researchers are saying it’s already too late.
What does Heartbleed do?
The bug allows attackers to grab 64kb chunks of memory from a server, laying bare all the things; from passwords and usernames to credit card numbers and home addresses. Roughly half a million websites are thought to have been affected.
Normally security glitches come and go but they’re usually resolved fairly quickly. Considering the long exposure, ease of exploitation and that the attacks leave no trace, this breach should be taken seriously.
What versions of the OpenSSL are affected?
This is the current status of the different versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
And some operating system distributions have also been shipped with the potentially vulnerable OpenSSL version:
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
The bug was introduced to OpenSSL in December 2011 and has been roaming around since the OpenSSL released 1.0.1 on 14th of March 2012; but OpenSSL 1.0.1g released on 7th of April 2014 claims to fix the bug.
What are they doing about it?
iDone (one of the sites to find they potentially have the vulnerability) have said: “We updated the relevant code on our servers on April 8th, 2014. As of 1pm (Pacific Daylight Time), the vulnerability is no longer present.”
However, they’d already stated that,“At this time, we have no evidence that iDoneThis has been attacked or that there has been any compromise of user data. All our measures have been precautionary. As a precaution, we have also re-issued our SSL certificates and revoked our old ones.”
Their final advice is clear though: “We recommend that people change their passwords.”
Facebook, Google and Yahoo are also saying they’ve patched the issue.
On the other hand, some are advising to stay away from the internet for a few days while things blow over, especially if you have any sensitive or important work to do.
“As long as the vulnerable version of OpenSSL is in use it can be abused,” the Heartbleed website states. “Fixed OpenSSL was released but it has to be deployed en masse,” the website added. “Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”
There have also been some security checkers set up to test sites’ vulnerability.
At UKFast we haven’t been affected but we are helping clients with any issues they’re experiencing; so if you have any concerns contact your account manager and they’ll be happy to help.