Get In Touch
Recently in Web Security Category
- A program manager for InfoSec;
- A senior manager for Enterprise Security;
- A security architect for Adversarial Resilience; and
- A principal application software engineer for the Security Products Group.
Update 2014-04-11: Updated information on our later analysis here.
We're getting a lot of questions about the OpenSSL Heartbleed fix. What follows are the most commonly asked questions, with our answers.
The Heartbleed bug affects a heartbeat functionality within the TLS/DTLS portion of the library. It allows the attacker to -- silently and without raising alarms -- dump portions of the servers memory to the client. This can allow the attacker to walk through the memory space of the server, possibly dumping private SSL keys and certainly exposing important secrets.
All versions of the OpenSSL library between 1.0.1 and 1.0.1f contain the Heartbleed bug and should be updated to 1.0.1g as soon as possible. (The vulnerability researchers have posted their analysis, and an excellent analysis is up on Sean Cassidy's blog.
A fix is now available for a serious Open SSL flaw known as Heartbleed. The vulnerability, covered in CVE-2014-0160, affects OpenSSL 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8.