Serious OpenSSL bug renders websites wide open

Powered by SC Magazine
 

Heartbleed headache.

A serious vulnerability in the popular OpenSSL cryptographic library has been discovered that allows attackers to steal information unnoticed.

Known as the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic.

User names, passwords and the actual content of the communications can also be read.

OpenSSL is used to protect websites, instant messaging, email server protcols, virtual private networks and other communications.

The programming mistake has left large amounts of private keys and and other secrets exposed to the Internet for a long time, according to Finnish security consultants Codenomicon. Attackers can read the memory of vulnerable systems in 64 kilobyte chunks, until they have the required information to succesfully compromise them.

The flaw was introduced in OpenSSL in December 2011, and has been "out in the wild" or known to attackers since March 2012.

No man-in-the-middle techniques of interception are required to exploit the out-of-bounds memory bug, and attacks leave no trace on vulnerable systems.

The flaw, discovered by Google engineers Neel Mehta and Adam Langley as well separately by Codenomicon, affects OpenSSL versions 1.0.1 and 1.0.2-beta.

OpenSSL recommends that uses immediately upgrade to version 1.0.1g. If that's not possible, users should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag to remove the the heartbeat handshake. The 1.0.2 version of OpenSSL will be fixed with beta 2.

Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2 are all listed as vulnerable to the Heartbleed bug.

Copyright © iTnews.com.au . All rights reserved.


Serious OpenSSL bug renders websites wide open
 
 
 
Top Stories
Photos: iTnews Benchmark Awards countdown begins
Just a few days left until entries close for 2014.
 
Australian Govt to rethink cyber security strategy
Six-year old policy to be refreshed.
 
The failure of the antivirus industry
[Blog post] Insights from AVAR 2014.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 1037

Vote