Heartbleed: Serious OpenSSL 0day Vulnerability Revealed

Everyday new security bugs are being discovered. And one of these newly identified bugs is the the so-called Heartbleed Bug in the OpenSSL cryptographic library.

While Heartbleed only effects OpenSSL’s 1.0.1 and the 1.0.2-beta release, 1.01 is already broadly deployed. Since Secure-Socket Layer (SSL) and Transport Layer Security (TLS) are at the heart of Internet security, this security hole is serious.

The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.

This bug not a problem with OpenSSL’s inherent design. It’s an implementation problem. That is to say it the result of a programming mistake. The bug, which is officially referenced as CVE-2014-0160, makes it possible for attackers to recover up to 64 kilobytes of memory from the server or client computer running a vulnerable OpenSSL version. There is already a fix available for the problem for the 1.01 program in OpenSSL 1.0.1g. Work is proceeding rapidly for a pair of the 1.02-beta line. 

At this time, I am informed by sources that Red Hat, Debian, SuSE, Canonical, and Oracle, to name a few, are working at a feverish pace to get the patched versions of OpenSSL out to their clients. It’s expected that it may take approximately 12-hours to deliver the patches. When do they become available anyone using OpenSSL 1.01 or 1.02 must deploy the patched version as fast as possible.

View full post on Who Got Hacked – Latest Hacking News and Security Updates