IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Critical "Heartbleed" security bug found in OpenSSL protocol

Security researchers sound alarm over new OpenSSL vulnerability that could let hackers eavesdrop on communications

security key on keyboard

Security group Codonomicon has found a critical bug in OpenSSL that compromises the protocol's security.

"Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL," Codonomicon wrote. "Many of online services [sic] use TLS to identify themselves to you and to protect your privacy and transactions."

The bug, nicknamed Heartbleed, "allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users."

Codonomicon tested the vulnerability on their own systems and found they could steal their own user names, passwords, emails, IMs, and other documents without leaving a trace.

"It's pretty serious," independent security expert Graham Cluley told IT Pro.

The Heartbleed exploit takes advantage of a programming mistake in the heartbeat extension of OpenSSL. The faulty code reveals 64KB of memory that the user should not be able to access. Attackers could automate this process to scrape vulnerable documents, 64KB at a time.

The bug has been in place for two years.

"Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously," Codonomicon wrote.

Problems with OpenSSL have wide-ranging implications, as it is widely used to secure online connections. Sixty six per cent of web servers (Apache and nginx), all email programs (SMTP, POP, IMAP), chat programs (XMPP), and SSL-based virtual private networks can be compromised with this bug.

Businesses should check if they are using a compromised version of a VPN, as it could expose their data to anyone.

Heartbleed makes it possible to read traffic from Linux distributions such as Debian, Ubuntu, Fedora, OpenSuse, OpenBSD, and FreeBSD.

It also compromises websites such as Paypal, Craigslist, Barclays Mobile Banking, and Amazon Web Services. Amazon has confirmed it is upgrading its services right now.

OpenSSL users concerned about fixing their systems should adopt Fixed OpenSSL, the new version without Heartbleed. Alternatively, they can recompile OpenSSL with the TLS handshake removed.

"OpenSSL users should upgrade to the latest version (1.0.1g) immediately, and regenerate their private keys," Cluley said.

Upgrading to a safe version is essential now that Heartbleed is public. More attackers know about the vulnerability and can check if a system has not fixed it yet.

Codonomicon does not know if the bug has been used to compromise other systems, as it leaves no traces in any logs.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022