The 'Heartbleed' security flaw affects most of the Internet

Millions of websites may have been leaking critically sensitive data for the past two years, thanks to a flaw in the OpenSSL software many sites use to encrypt and transmit data. OpenSSL Versions 1.0.1 and 1.0.2 beta are affected by the vulnerability. Security researchers who uncovered the threat, known as "Heartbleed," are particularly worried about the breach because it went undetected for more than two years.

"This is very significant because the hack allows you to extract up to 64 kilobits of server memory at a time. So you submit some malformed request to the server, get 64 kbit/s of server memory and whatever is in that chunk of memory," Ivan Ristic, who heads up the SSL Labs at Qualys, said. "By nature of things, it handles sensitive information, including the private key of the server. If you get that, you can impersonate the server."

There have been no documented instances of attacks exploiting the Heartbleed bug. But because an attack using the bug would leave no trace, and the potential damage from an attack would be so significant, all websites that ever used the affected versions of OpenSSL should be considered compromised.

Yesterday, OpenSSL released a patch for the threat. Patching has been under way for many major operators and server vendors, including Debian, CentOS, RedHat, SUSE Linux, and Ubuntu, while others have been slower to update.

"Many major websites have not been patched yet. It's difficult to do if you are running multiple devices that need to be patched for it - you have to wait," Ristic said. "Someone with a large infrastructure may take some time to update. This is emergency patching all around the Internet." 

The bug is officially referenced as CVE-2014-0160, and makes it possible for attackers to recover up to 64 kb of memory from the server or client computer running a vulnerable OpenSSL version.

Read more -here-
Also see: Critical crypto bug in OpenSSL