iTnews
  • Home
  • News
  • Technology
  • Security

Vendors slow to patch OpenSSL vulnerabilities

By Juha Saarinen on Jun 30, 2014 6:19AM
Vendors slow to patch OpenSSL vulnerabilities

Heartbleed is far from over.

Several key technology vendors are yet to fully patch against the OpenSSL cryptographic library used to secure networked communications, a leading Australian security researcher has warned.

The Heartbleed vulnerability in OpenSSL, first revealed to the public in April this year, makes it possible for attackers to tap into what was thought to be secure, encrypted communications unnoticed.

After a more thorough audit of the open source crypto library, further vulnerabilities were discovered that could lead to denial of service attacks and arbitrary code execution.

The list of products affected by the OpenSSL vulnerabilities is long and deep, ranging from servers to clients, database backup systems and printers; mobile phones, hypervisors - almost any IT product or service conceivable.

Information security analyst Marco Ostini, who works at the Australian Computer Emergency Response Team (AusCERT) at the University of Queensland, says the OpenSSL vulnerabilities are not restricted to server-side computing. They are close to being ubiquitous, affecting almost every operating system, he said.

This includes clients as well as embedded devices such as home broadband routers, many of which are yet to receive firmware patches for the OpenSSL vulnerabilites. 

Other network devices such as smart televisions, wireless Wi-Fi access points, industrial SCADA control systems, payment gateways, automatic teller machines and point of sale systems may still be vulnerable, Ostini warned, and the fixes have been coming in at too slow a pace.

"The slow release of patches from some vendors, and then the slow pushing of patches over so many products from sysadmins and ordinary users at home, seem to highlight that Heartbleed and it's cousins will be causing grief for some time to come. It may end up being instrumental in some significant breaches to come," Ostini told iTnews.

Google's Android mobile operating system version 4.1.1 accounts for almost a third of all installations but has yet to see a patch against the OpenSSL vulnerability.

Blackberry is another vendor that was very late to patch many of its vulnerable products, Ostini noted. 

"In the process [of patching for OpenSSL vulnerabilities] credentials, private keys and other sensitive data would almost certainly have been stolen," Ostini said.

The scale of the problem is compounding the difficulty of all parties rectifying the issue, he said. 

"Consider the plight of the poor sysadmin who's job it is to patch all the products that are vulnerable to Heartbleed, drop certificates and install new ones, and cause much annoyance to their employer in the process with their necessary disruptions," he said. "Now consider that
poor sleep-deprived person being required to do it all again for the batch of seven OpenSSL vulnerabilies." 

The industry is suffering from what he calls "vulnerability mitigation fatigue".

"Even with the best intentions and processes, it can slow the response down, so that the necessary updates aren't being urgently applied," Ostini said.

Less than two weeks ago, security resercher Robert Graham of Errata Sec launched a mass scan of internet-connected systems and found that over 300,000 were vulnerable to Heartbleed, two months after the alert went out.

"This indicates that people have stopped even trying to patch," the researcher said.

"Even a decade from now, I still expect to find thousands of systems, including critical ones, still vulnerable."

Are you suffering from 'vulnerability mitigation fatigue'? How many hours have you spent mitigating OpenSSL vulnerabilities? Comment below or drop us an email.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
heartbleedinfoopensslsecsecurityssltls

Partner Content

Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content Security: Understanding the fundamentals of governance, risk & compliance
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
By Juha Saarinen
Jun 30 2014
6:19AM
0 Comments

Related Articles

  • OpenSSL squarely rooted by cert parsing bug
  • OpenSSL subject to remote memory corruption
  • Aruba, Avaya switches susceptible to remote takeover, patches on the way
  • Head over to the data centre and patch that UPS
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation

Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early

NBN Co taking orders for 'non-premises' connections

NBN Co taking orders for 'non-premises' connections

Australian scientists build world's first quantum computer IC

Australian scientists build world's first quantum computer IC

Digital Nation

Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
The security threat of quantum computing
The security threat of quantum computing
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.