A serious vulnerability has been discovered in the open-source encryption software used in many of the world’s websites that could allow attackers to steal a variety of information unnoticed.
The ‘Heartbleed’ bug potentially allows access to the memory of systems that currently run one of several vulnerable versions of the OpenSSL cryptographic software library.
OpenSSL is used to protect websites, instant messaging, email server protocols, virtual private networks and other online communications.
The flaw could reveal the authentication and encryption keys used to protect traffic, as well as details such as usernames and passwords.
Due to the nature of the of the bug, however, the attackers will leave no trace in server logs, so there is no way of knowing if the flaw has been exploited.
The bug, officially referenced to as CVE-2014-0160, was discovered separately by both Google engineers Neel Mehta and Finnish security firm Codenomicon, and appears to have been introduced to the software in December 2011, and apparently known to attackers since March 2012.
In a blog post, the two offered advice to any businesses who believe they may have been at risk, as well as recommending how best to patch any leaks which may have occurred
"Bugs in single software or library come and go and are fixed by new versions," the blog said. "However this bug has left a large amount of private keys and other secrets exposed to the internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously."
On its website, OpenSSL recommended uses immediately upgrade to the newest version 1.0.1g. Users that are unable to immediately upgrade should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.
The 1.0.2 version of OpenSSL will be fixed with beta 2, the company said.
This article is from the CBROnline archive: some formatting and images may not be present.