Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014 by Nancy Owano weblog

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the OpenSSL team, triggering Monday's release of a fix for the bug along with a security advisory. Dated Monday, the OpenSSL security advisory said the flaw involved "a missing bounds check in the handling of the TLS [Transport Layer Security] heartbeat extension," which could be used to reveal "up to 64k of memory to a connected client or server." The advisory said this issue did not affect versions of OpenSSL prior to 1.0.1. Namely, what was affected were 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1. The bug was fixed in OpenSSL 1.0.1g. "Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS." In the notice Mehta of Google Security was thanked for discovering the bug and Adam Langley and Bodo Moeller were thanked for preparing the fix.

Meantime, a team of security engineers at security company Codenomicon independently explored the bug, which their team found while improving the SafeGuard feature in its security testing tools; they reported the bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team. Codenomicon issued a fully detailed page examining Heartbleed and its vulnerabilities:"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

Codenomicon is headquartered in Oulu, Finland and California with offices in Singapore and Hong Kong. The company's testers utilized an attacker's perspective and attacked the company from outside, "without leaving a trace." The Codenomicon team said they did not use any credentials or privileged information and yet were able to steal "secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

According to Codenomicon, the bug was introduced to OpenSSL in December 2011 and "the OpenSSL 1.0.1g released Monday fixes the bug." OpenSSL is used to protect sensitive data as it travels back and forth, said BBC News. Ars Technica called it "the world's most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications."

The bug itself is called "Heartbleed" because it occurs in the heartbeat extension. Codenomicon explained that the bug is in the OpenSSL's implementation of the TLS/DTLS ( protocols) heartbeat extension (RFC6520). "When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server."

According to BBC News, full protection might require "updating to the safer version of OpenSSL as well as getting new security certificates and generating new ." Similarly, Jeremy Kirk of the IDG News Service said administrators were advised to apply the up-to-date version of SSL, revoke any compromised keys and reissue new keys.

Posing the question, "Is there a bright side to all this?" Codenomicon commented that for service providers affected, "this is a good opportunity to upgrade strength of the used."

Explore further: New technology to help users combat mobile malware attacks

add to favorites email to friend print save as pdf

Related Stories

Recommended for you

Does your password pass muster?

Mar 25, 2015

"Create a password" is a prompt familiar to anyone who's tried to buy a book from Amazon or register for a Google account. Equally familiar is that red / yellow / green bar that rates the new password's strength. ...

Beijing behind Internet security violation: group

Mar 25, 2015

China's cyberspace administration is "complicit" in attacks on major Internet companies including Google, an anti-censorship group said Wednesday, calling on firms worldwide to strengthen their defences.

House unveils cyber bill and signals bipartisan compromise

Mar 24, 2015

House intelligence committee leaders unveiled a bipartisan cybersecurity bill Tuesday amid signs of broad agreement on long-sought legislation that would allow private companies to share with the government details of how ...

The ongoing war against cybercrime

Mar 24, 2015

Cybercrime is estimated to cost the global economy upwards of US$400 billion a year, and these costs are expected to continue to rise. ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

1 / 5 (1) Apr 08, 2014
Introduced vulnerabilities by the NSA? :P
1 / 5 (1) Apr 08, 2014
Hello Loan Seeker,
Do you need a loan to start a business? we offer all kinds of loans, business loans, personal loans, student loans, and business loans, If you are interested in this loan, you must contact us by email ::: (loanfirms007@gmail.com).

Mr Andrew Clinton

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.