Scramble to fix huge 'heartbleed' security bug
The researchers who discovered the bug publicised their findings via the web
A bug in software used by millions of web servers could have exposed anyone visiting sites they hosted to spying and eavesdropping, say researchers.
The bug is in a software library used in servers, operating systems and email and instant messaging systems.
Called OpenSSL the software is supposed to protect sensitive data as it travels back and forth.
It is not clear how widespread exploitation of the bug has been because attacks leave no trace.
"If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle," said a blog entry about the bug published by the Tor Project which produces software that helps people avoid scrutiny of their browsing habits.
'Serious' vulnerability
A huge swathe of the web could be vulnerable because OpenSSL is used in the widely used Apache and Nginx server software. Statistics from net monitoring firm Netcraft suggestthat about 500,000 of the web's secure servers are running versions of the vulnerable software.
"It's the biggest thing I've seen in security since the discovery of SQL injection," said Ken Munro, a security expert at Pen Test Partners. SQL injection is a way to extract information from the databases behind web sites and services using specially crafted queries.
Many firms were scrambling to apply patches to vulnerable programs and others had shut down services while fixes were being worked on, he said. Many were worried that with proof of concept code already being shared it would only be a matter of time before cyber thieves started exploiting the vulnerability.
Mojang, maker of the hugely popular Minecraft game, took all its services offline while Amazon, which it uses to host games, patched its systems.
The bug in OpenSSL was discovered by researchers working for Google and security firm Codenomicon.
In a blog entry about their findings the researchers said the "serious vulnerability" allowed anyone to read chunks of memory in servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.
"This allows attackers to eavesdrop [on] communications, steal data directly from the services and users and to impersonate services and users," wrote the team that discovered the vulnerability. They called it the "heartbleed" bug because it occurs in the heartbeat extension for OpenSSL.
The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on 7 April is no longer vulnerable to the bug.
"Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously," wrote the researchers.
Installing an updated version of OpenSSL did not necessarily mean people were safe from attack, said the team. If attackers have already exploited it they could have stolen encryption keys, passwords or other credentials required to access a server, they said.
Full protection might require updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys. To help people check their systems some security researchers have produced tools that help people work out if they are running vulnerable versions of OpenSSL.
Comments
Also visit my webpage ... lifestyle lyrics youtube
this, like you wrote the book in itt or something.
I think that you could do with some pics to
drive the messae home a bit, but instead of that, this is fantastic blog.
A fantastic read.I will definitely be back.
Feel free to surf to myy weeb blog :: search engine optimization pricing ()
to lead a healthy wayy of life and the enhanced hkgh quality of life that goes with it?
Here is my page; lifestyle blogs on blogger ()
days.
Check out my web page :: search engine optimization google
retreat.
my weblog ... lifestyle blogs for over 50s []
shield the legal representative cost-free riders.
Here is my webpage Texas mesothelioma cancer
Here is my web bkog - lifestyle blkogs chicago; ,
Feel free to visit my blog post :: searc engine
optimization google ()
brainstorm most clicked keywords and phrases by the buyers.
Allso visit my site search engine optimization companies in mumbai
I count on our College to be the stronger for it.
Visit my page :: lifestyle rich gang
magazine's principal theme.
Here is my website; lifestyle lyrics youtube []
Here is my homepage golf netting material uk
a broad keyword phrase and itt provides you oone hundred
narrowed keywords.
My web site; search engine optimization definition english
Visit my webpage - make money online fast and easy paypal
dued to asbestos fibers tht get stuck in lungs aas well as induce scarring.
possibly soubd scary, but really it's not.
iis responsible for achieving sales targets via inspiration as well as guidance.
Heree is my weblolg email marketing strategy outline
the ways a multitude of young adults earn Make Money Online () online.
currencies, and more than 20 of tthe very best websktes to gaion digital
make money online teens.
cancer will certainly submit appropriate lawsuits for you to get
settlement that commonly covers a million dollars.
My weblog ... Lifestyle In Texas
My website: internet marketing ninjas clients ()
Lifestyle In Texas () addition to the
death scene.
transaction.
Stop by my website :: internet marketing ninjas reviews
My webpage lifestype lift locations ()
the events in the casee as well as the court exists.