Page 12 - index
P. 12
1 Heartbleed vulnerability, 600 products, 100 vendors
2 months later, and they are still patching!
by Kasper Lindgaard, Director of Research and Security, Secunia
590 different products from 100 different vendors have so far been recorded as having been
th
made vulnerable by the Heartbleed vulnerability, which was publically disclosed on April 7 ,
after an untidy disclosure process – a process which caused Heartbleed to send the IT
community reeling, and triggered much more commotion than the vulnerability’s actual
criticality warranted.
When the news about Heartbleed broke, software vendors around the world scrambled to
identify which of their products and services were affected by the vulnerability.
The sense of urgency stemmed from the fact that 1) Heartbleed was exploited immediately
after disclosure (and may have been exploited before), and 2) from the disclosure process,
which had caused rumors and information about Heartbleed to swirl around various online
forums for a week prior to the public disclosure. Additionally, some of the big providers had a
head start and were able to patch their servers prior to disclosure – confirmed are Facebook,
Akamai, CloudFlare and of course Google, whose researcher Neela Mehta originally
discovered Heartbleed.
This semi-publicity effectively meant that all hackers great and small would have had ample
opportunity to develop and use exploits, targeting any product relying on a vulnerable
version of OpenSSL – and thereby any organization using one of those products within their
IT infrastructure, as well as private users using one of these products.
The underlying drama was that because of the nature of Heartbleed, you couldn’t actually
tell if you had been hacked. You were essentially fighting flimsy ghosts that could quickly
turn into corporal monsters.
The vendors: Identification and fixing
For the software vendors, time was of the essence – development teams, product teams and
internal IT teams everywhere went through code to identify which products had which
versions of OpenSSL installed.
Once identified, the vulnerable programs needed to be patched, the impact applicable to
their set-up analyzed and then customers had to be informed of the issue(s) and of the fix,
which could include a reset of passwords.
In the ensuing weeks, the internet abounded with stories about servers and routers being
vulnerable and how the risk of erroneous updates was making matters worse. Experts were
advising businesses and end-users on what actions to take to protect themselves, and
everybody’s pulse was kept up, which from a security awareness perspective is a positive
effect that hopefully has some residual effect.
12 Cyber Warnings E-Magazine – July 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
