OpenSSL bug potentially allows attackers to steal private encryption keys, session cookies & passwords
Software companies, service providers urged to patch vulnerability immediately
FINNISH software security solutions vendor Codenomicon, has discovered a serious Internet vulnerability dubbed ‘Heartbleed’.
According to the company, the vulnerability has exposed 66% or more of the Internet to attack.
The vulnerability is due to a bug created in 2012 in OpenSSL – a cryptographic library that is used to secure a major percentage of the Internet's traffic.
By exposing the memory contents of a Web site's server, the Heartbleed vulnerability potentially allows attackers to steal the most sensitive information such as private encryption keys, session cookies and passwords.
The OpenSSL Project has released an emergency patch for the bug along with a security advisory, and software companies have been moving quickly to implement the patch since it was publicly revealed.
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured and Open Source toolkit implementing the Secure Sockets Layer(SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
It is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
The patch should quickly mediate the issue and eliminate future risks. However, since an exploit of the vulnerability would leave no trace of anything abnormal, it's impossible to track any actual attacks.
"Typically, bugs in a single software application or library come and go, and are fixed by new versions," said Ari Takanen (pic), Codenomicon's chief research officer.
"However due to early release of the Heartbleed bug details, it left large amounts of private keys and sensitive data exposed for quite some time.
“In addition, there are three aspects that make Heartbleed particularly concerning - the long exposure, ease of exploitation, and the fact that any actual attacks would leave no trace," he added.
According to a Threatpost report, some high-profile sites, including Yahoo Mail, Lastpass, the OpenSSL site and the main FBI site have been confirmed to leak certain information via the bug. There also is a proof-of-concept exploit for the flaw posted on Github.
Consumers are advised to follow service provider guidelines, given they have updated their OpenSSL to the new patched version and updated their encryption keys.
In some cases, service providers may require you to change your password, particularly for more sensitive log-ins, such as financial institutions and e-commerce sites.
Codenomicon named the bug Heartbleed because it occurs in OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension.
When it is exploited, it leads to the leak of memory contents from the server to the client and from the client to the server. The same weakness also exists in the client-side implementations of OpenSSL.
Codenomicon has also created a micro-site dedicated to an in-depth breakdown of Heartbleed with updates. To access the site click here.
Can we please start taking cyber-security seriously? (Updated)
BolehVPN’s exposé of e-banking security flaws in Malaysia
HTTPS: The ‘S’ is more than just a letter
Unknown traffic bigger security threat than social media
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.