The Heartbleed Bug – 5 things you need to know

As you may have heard, a major security vulnerability dubbed “Heartbleed,” was  discovered some time ago in OpenSSL. Here is what you need to know right away:

1. The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems that should’ve been protected by the vulnerable versions of the OpenSSL software.

Note: OpenSSL is an open-source implementation of the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols.

2. Heartbleed Bug compromises computer system communications and data.

The Heartbleed compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content. Basically, it makes your communications and data wide open for theft of vital information such as usernames and passwords, instant messages, emails, business critical documents. This data can be further misused to impersonate services and users.

3. How the Heartbleed Bug affects you.

You are likely to be affected, if not directly – indirectly. OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet. In your daily life, you visit various websites, such as social media sites, your company’s site, commerce site, hobby site, sites you may be installing software from, government and not-for-profit sites. Many of them may be using OpenSSL, and some of them may use vulnerable version, and your privacy and transactions may not be adequately protected.

4. What versions of the OpenSSL are affected?

Vulnerable versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) ARE vulnerable

Reportedly, these versions are not vulnerable:

  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

5. What is the solution for the Heartbleed Bug?

While the Heartbleed Bug was introduced to OpenSSL in December 2011, it has been out doing damage since OpenSSL release 1.0.1 on 14th of March 2012. As long as the vulnerable version of OpenSSL is in use it can – and is likely to be abused.

Solution: OpenSSL 1.0.1g released fixes on April 7, 2014:  Fixed OpenSSL is ready to go, and now it has to be deployed. If you are visiting potentially vulnerable web resources, be extra vigilant.

As you know, is always working to ensure that our client’s network is secure and safe at all times. If you don’t have a reliable IT company and need a hand managing your computer network, give us a call at (201) 4931414, we want to hear from you.

How is your state of IT? Call Us: (855) 551-7760 with any questions.