OpenSSL bug ‘Heartbleed’ on the loose – easily exploitable glitch that’s been there the whole time

By Peter Gothard
09 Apr 2014 View Comments
file-data

The internet has a new bug to fear, as Google Security and Finnish security company Codenomicon have uncovered a threat lurking, they say, at the very heart of OpenSSL.

The weakness apparently allows "anyone on the internet" to read the memory of systems protected by "vulnerable versions" of OpenSSL, which is the open source core library for encrypting many forms of secure online traffic. Transport Layer Security [TLS] and Secure Sockets Layer [SSL] protocols are both handled by OpenSSL.

Further reading

Researchers at Google and Codenomicon say they have tested the weakness by attacking themselves "from outside, without leaving a trace".

The glitch has already been plugged, with the likes of Microsoft and Amazon Web Services already loudly and publicly rolling out fixes to try to put their customers at ease.

But "as long as the vulnerable version of OpenSSL is in use it can be abused", warned Google and Codenomicon.

The bug exposes primary and secondary security keys, as well as "protected content" and "collateral", explained the researchers. This basically means decryption of past and future traffic to protected services, which can also be impersonated once the keys are acquired. Secondary keys are usernames and passwords to vulnerable OpenSSL services, while "protected content" can extend to individual emails, IMs or, indeed, any document under protection. Collateral leaks only extend to memory addresses, but can potentially be of short-term use to attackers.

HP's VP and general manager enterprise security products for APJ and EMEA, Tony Caine, condemned developers at the OpenSSL Project for failing to see the importance of "due process and care to be taken in the development stages of new software".

"It also once again demonstrates that traditional perimeter security is dead and that security breaches are inevitable," continued Caine.

"Organisations need to realise this and allocate resource to finding and containing threats once they have gained access to the system. In 2013 on average threats went undiscovered for 243 days - a huge amount of time."

Yahoo's blogging platform Tumblr has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking".

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

55 %
17 %
7 %
16 %
5 %