Heartbleed
-
I found this on the net while looking through news
[url]http://www.bbc.com/news/technology-26935905[/url]
[FONT=Arial][COLOR=#333333]The bug in OpenSSL was discovered by researchers working for Google and security firm Codenomicon.[/COLOR][/FONT]
[FONT=Arial][COLOR=#333333]In a blog entry about their findings the researchers said the “serious vulnerability” allowed anyone to read chunks of memory in servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.[/COLOR][/FONT]
[FONT=Arial][COLOR=#333333]“This allows attackers to eavesdrop [on] communications, steal data directly from the services and users and to impersonate services and users,” wrote the team that discovered the vulnerability. They called it the “heartbleed” bug because it occurs in the heartbeat extension for OpenSSL.[/COLOR][/FONT]
[FONT=Arial][COLOR=#333333]The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on 7 April is no longer vulnerable to the bug.[/COLOR][/FONT] -
So a simple update will fix it!
-
Yay updates!
Now sadly, many users will be affected by this long term, due to OpenSSL being embedded in various network appliances and other long-life systems that companies have to pay license fees just to update. My organization narrowly missed this bug due to our equipment being in the golden age right before the versions vulnerable to Heartbleed.
I think within the next month, most major and responsible organizations will have patched themselves against Heartbleed. But due to the wide ranging impact of an OpenSSL exploit, Heartbleed could still be leaking data for the next five years.
-
wow soooo many people/companies are reporting this is in their stuff. Nice job keeping up-to-date James
