The 'Heartbleed' security flaw affects most of the InternetCritical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
2014-04-09 09:43 by Daniela
Tags: Heartbleed, OpenSSL, security
Millions of websites may have been leaking critically sensitive data for the past two years, thanks to a flaw in the OpenSSL software many sites use to encrypt and transmit data. OpenSSL Versions 1.0.1 and 1.0.2 beta are affected by the vulnerability. Security researchers who uncovered the threat, known as "Heartbleed," are particularly worried about the breach because it went undetected for more than two years.
There have been no documented instances of attacks exploiting the Heartbleed bug. But because an attack using the bug would leave no trace, and the potential damage from an attack would be so significant, all websites that ever used the affected versions of OpenSSL should be considered compromised.
Yesterday, OpenSSL released a patch for the threat. Patching has been under way for many major operators and server vendors, including Debian, CentOS, RedHat, SUSE Linux, and Ubuntu, while others have been slower to update.
The bug is officially referenced as CVE-2014-0160, and makes it possible for attackers to recover up to 64 kb of memory from the server or client computer running a vulnerable OpenSSL version.