Get In Touch
Recently in Web Security Category
Update 2014-04-11: Updated information on our later analysis here.
We're getting a lot of questions about the OpenSSL Heartbleed fix. What follows are the most commonly asked questions, with our answers.
The Heartbleed bug affects a heartbeat functionality within the TLS/DTLS portion of the library. It allows the attacker to -- silently and without raising alarms -- dump portions of the servers memory to the client. This can allow the attacker to walk through the memory space of the server, possibly dumping private SSL keys and certainly exposing important secrets.
All versions of the OpenSSL library between 1.0.1 and 1.0.1f contain the Heartbleed bug and should be updated to 1.0.1g as soon as possible. (The vulnerability researchers have posted their analysis, and an excellent analysis is up on Sean Cassidy's blog.
A fix is now available for a serious Open SSL flaw known as Heartbleed. The vulnerability, covered in CVE-2014-0160, affects OpenSSL 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8.
Akamai researchers have released fresh details regarding the Wordpress XML-RPC pingback exploits used in a series of DDoS attacks earlier this month. The details are in an advisory written by CSIRT's Larry Cashdollar.