The major internet security flaw in the OpenSSL cryptographic library “Heartbleed” has left nearly millions of webservers across (which use certificates issued by trusted certificate authorities) globe vulnerable to hack attacks. Experts are suggesting users across to change their passwords for major websites like Google, Dropbox, Facebook and Yahoo. Experts also believe that users’ personal data can be compromised via apps installed on their smartphones. In-order to secure your smartphones, you need to log-off from all the apps running on your smartphone at-least for once so that old tokens are replaced by new ones and re-login again (also you can take some pain to change the passwords of the apps in between) and this may lead to secure your apps.
In the Heartbleed bug, a missing bounds check in the handling of the TLS heartbeat extension can allow remote attackers to view up to 64 kilobytes of memory on an affected server. This could allow attackers to retrieve private keys and ultimately decrypt the server’s encrypted traffic or even impersonate the server.
Meanwhile search giant Google updated that it has already applied patches to key Google services. In a official blog post the company mentioned;
We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services.
Google has rolled out patches for Cloud SQL, it suggest users to use the IP whitelisting function to ensure that only known hosts can access their instances. For customers using Google Compute Engine need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. You can find instructions here.
For Android Google said that , “All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners). ”
Meanwhile software major Microsoft issued statement saying that Windows services are not impacted by “Heartbleed”.
Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.
We also want to assure our customers that default configurations of Windows do not include OpenSSL, and are not impacted by this vulnerability. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.
This applies to all Windows operating systems and IIS versions, up to and including IIS 8.5 running on any of the following operating systems:
• Windows Server 2003 and 2003R2
• Windows Server 2008
• Windows Server 2008R2
• Windows Server 2012
• Windows Server 2012R2
Customers running software on Windows that uses OpenSSL instead of SChannel (for example, running the Windows version of Apache), may be vulnerable. We recommend that all customers who may be vulnerable follow the guidance from their software distribution provider.
But a small percentage of Microsoft web servers also appear to support the TLS heartbeat extension; these are actually likely to be vulnerable Linux machines acting as reverse proxy frontends to Windows servers.
OpenSSL’s security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the
Popular sites which exhibit support for the TLS heartbeat extension include Twitter, GitHub, Yahoo, Tumblr, Steam, DropBox, HypoVereinsbank, PostFinance, Regents Bank, Commonwealth Bank of Australia, and the anonymous search engine DuckDuckGo. The flaw has opened the door to attackers who could have got hold of encryption keys on websites thought to be secure, then accessed user passwords and other sensitive data.