Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014 by Nancy Owano weblog

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the OpenSSL team, triggering Monday's release of a fix for the bug along with a security advisory. Dated Monday, the OpenSSL security advisory said the flaw involved "a missing bounds check in the handling of the TLS [Transport Layer Security] heartbeat extension," which could be used to reveal "up to 64k of memory to a connected client or server." The advisory said this issue did not affect versions of OpenSSL prior to 1.0.1. Namely, what was affected were 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1. The bug was fixed in OpenSSL 1.0.1g. "Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS." In the notice Mehta of Google Security was thanked for discovering the bug and Adam Langley and Bodo Moeller were thanked for preparing the fix.

Meantime, a team of security engineers at security company Codenomicon independently explored the bug, which their team found while improving the SafeGuard feature in its security testing tools; they reported the bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team. Codenomicon issued a fully detailed page examining Heartbleed and its vulnerabilities:"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

Codenomicon is headquartered in Oulu, Finland and California with offices in Singapore and Hong Kong. The company's testers utilized an attacker's perspective and attacked the company from outside, "without leaving a trace." The Codenomicon team said they did not use any credentials or privileged information and yet were able to steal "secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

According to Codenomicon, the bug was introduced to OpenSSL in December 2011 and "the OpenSSL 1.0.1g released Monday fixes the bug." OpenSSL is used to protect sensitive data as it travels back and forth, said BBC News. Ars Technica called it "the world's most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications."

The bug itself is called "Heartbleed" because it occurs in the heartbeat extension. Codenomicon explained that the bug is in the OpenSSL's implementation of the TLS/DTLS ( protocols) heartbeat extension (RFC6520). "When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server."

According to BBC News, full protection might require "updating to the safer version of OpenSSL as well as getting new security certificates and generating new ." Similarly, Jeremy Kirk of the IDG News Service said administrators were advised to apply the up-to-date version of SSL, revoke any compromised keys and reissue new keys.

Posing the question, "Is there a bright side to all this?" Codenomicon commented that for service providers affected, "this is a good opportunity to upgrade strength of the used."

Explore further: Red Hat programmer discovers major security flaw in Linux

add to favorites email to friend print save as pdf

Related Stories

Recommended for you

How to keep the world's eyes out of your webcam

6 hours ago

There are concerns that thousands of private webcams around the world could be streaming live images to anybody who wishes to view them – without their owner knowing – thanks to a Russian website provi ...

Britain urges Russia to shut down webcam spying site

23 hours ago

A Russian website offering thousands of live feeds peering into bedrooms and offices around the world by accessing poorly secured webcams should be taken down immediately, British officials said on Thursday.

NSA Director: China can damage US power grid

Nov 20, 2014

China and "one or two" other countries are capable of mounting cyberattacks to shut down the electric grid in parts of the United States. That's according to Admiral Michael Rogers, the director of the National Security Agency ...

Some in NSA warned of a backlash

Nov 20, 2014

Current and former intelligence officials say dissenters within the National Security Agency warned in 2009 that secretly collecting American phone records wasn't providing enough intelligence to justify ...

Russia hacking site spying webcams worldwide: Britain

Nov 20, 2014

Britain's privacy watchdog on Thursday called on Russia to take down a site showing hacked live feeds from thousands of homes and businesses around the world and warned it was planning "regulatory action".

Let's Encrypt certificate authority to launch 2015

Nov 19, 2014

Web encryption for free—tough deal to turn down? After all the instances of cyberattacks, snoopers and sophisticated surveillance, encryption technology has become especially appreciated and familiar to ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

1 / 5 (1) Apr 08, 2014
Introduced vulnerabilities by the NSA? :P
1 / 5 (1) Apr 08, 2014
Hello Loan Seeker,
Do you need a loan to start a business? we offer all kinds of loans, business loans, personal loans, student loans, and business loans, If you are interested in this loan, you must contact us by email ::: (loanfirms007@gmail.com).

Mr Andrew Clinton

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.