Microsoft: Our online services are not affected by "Heartbleed" OpenSSL issue

The "Heartbleed" exploit in the OpenSSL cryptographic software has been getting a ton of media attention this week, The issue has caused many software companies to quickly patch their OpenSSL-based products, and website administrators are urging customers to change their passwords.

In the middle of all this, Microsoft has quietly issued a post on its security blog that claims users of its many online services don't have to worry about "Heartbleed". The post states that the company has conducted a review of its online services this week following the discovery of the OpenSSL flaw.

The blog said:

After a thorough investigation, Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype, along with most Microsoft Services, are not impacted by the OpenSSL “Heartbleed” vulnerability. Windows’ implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections.

Microsoft points out that all of its customers should be "vigilant" when it comes to checking on any of their online accounts and that they should change passwords on a frequent basis. Using strong passwords is also the best bet in terms of keeping their accounts safe from cyber attacks.

Source: Microsoft | Image via Microsoft

Report a problem with article
Previous Story

Amazon's smartphone rumored for a June announcement

Next Story

Sprint offering up to $650 to switch carriers

22 Comments

Commenting is disabled on this article.

Did anyone think Microsoft was using that ruddy software anyhow? I guess this is because Skype used to run on OSS? Surely they've moved completely away from it like with Hotmail!

The irony is that after two years of the bug, the developer declares that the discovery of the bug is due to power of 'open source'.

...and yes I spit my soda when reading it.

(Does he not realize that the exploiters of the flaw probably did read his code?)

Well, it did alledgedly allow the NSA to use the bug succesfully for almost two years, so yeah ....

All kidding aside, I don't think the open or closed nature of a software product is a major factor in the discovery of bugs. Most bugs are found by automated processes or trial and error anyway, not by simply reading source code.

XerXis said,
Well, it did alledgedly allow the NSA to use the bug succesfully for almost two years, so yeah ....

All kidding aside, I don't think the open or closed nature of a software product is a major factor in the discovery of bugs. Most bugs are found by automated processes or trial and error anyway, not by simply reading source code.

I don't have an issue with closed or open but one of the arguments for open source was that "more eyes on the code means it's more secure" or something to that extent. It's something they always tossed out as being an advantage and that closed source could have bugs and back doors all over it and no one knows because they can't see it and check.

Well, this OpenSSL bug just took that argument and tossed it out the window in my mind

George P said,

I don't have an issue with closed or open but one of the arguments for open source was that "more eyes on the code means it's more secure" or something to that extent. It's something they always tossed out as being an advantage and that closed source could have bugs and back doors all over it and no one knows because they can't see it and check.

Well, this OpenSSL bug just took that argument and tossed it out the window in my mind

Open source gives third parties the possibility of reviewing and auditing the code. Just because the possibility exists doesn't mean that they'll be doing that, and certainly not for every open source project.

So basically open source can be more secure if it's thoroughtly and regularly audited, not just for the sake of being open source.

Exactly the same applies to closed source, only that only the project devs can review their own code.

Then on the other hand, CloudFlare fixed the flaw a week before it was publicly announced. I don't think they would have been able to do that if we were talking about a closed source product.

ichi said,

Open source gives third parties the possibility of reviewing and auditing the code. Just because the possibility exists doesn't mean that they'll be doing that, and certainly not for every open source project.

So basically open source can be more secure if it's thoroughtly and regularly audited, not just for the sake of being open source.

Exactly the same applies to closed source, only that only the project devs can review their own code.

Then on the other hand, CloudFlare fixed the flaw a week before it was publicly announced. I don't think they would have been able to do that if we were talking about a closed source product.

This is not accurate. Closed source is often reviewed by 3rd parties. Even 'trade secret' level code is often reviewed by both internal review and external entities.

Even Windows itself is reviewed by external sources as required for government certification, etc.

I also would argue that open source is NOT more secure, because too many eyes have access to it.

Follow me for a moment. All it takes is one genius to go through open source code and find flaws that others would miss. This person has NO obligation or responsibility to report the flaw and can use it for their own means.

I have worked with people like this that need to legally break into or exploit a secured system. They go grab a chunk of code from an viable entry point, and they are smarter than people that wrote the code and they then craft an exploit against that code.

Open source in 'theory' could be more secure, but in practice it is seldom reviewed and even less reviewed by people that are smarter than the original coder.

Maybe this would be a better analogy...
Would you rather have secure code reviewed by 10-20 of the brightest engineers in the world, or have secure code reviewed by 1000 mediocre coders?

Mobius Enigma said,

This is not accurate. Closed source is often reviewed by 3rd parties. Even 'trade secret' level code is often reviewed by both internal review and external entities.

Some is reviewed by some third parties, most is likely not.
Can you get the source you are given to audit and build the app, or are you trusting that it'll be exactly the same code that has gone into the binaries?

Mobius Enigma said,

Maybe this would be a better analogy...
Would you rather have secure code reviewed by 10-20 of the brightest engineers in the world, or have secure code reviewed by 1000 mediocre coders?

You are making two wild assumptions there.

George P said,
Well, this OpenSSL bug just took that argument and tossed it out the window in my mind

This isn't even the first example of it. OpenSSL was two years. Debian's predictable SSL key bug also went undiscovered for a few years. The performance counter bug in the kernel (another root escalation exploit) went for a couple years before being caught and fixed. The vulnerability in the GnuTLS library went on for 10 years before being caught. The "many eyes" things is a great tagline, but in reality it doesn't work that way.. it's track record is no better.

ichi said,

Some is reviewed by some third parties, most is likely not.
Can you get the source you are given to audit and build the app, or are you trusting that it'll be exactly the same code that has gone into the binaries?

You are making two wild assumptions there.

/sarcasm on

You know, you are right. There have been massive Windows Server compromises compared to open source OSes. The whole OpenSSL thing never really happened, in fact I personally made it up. Also none of the other open source based exploits discovered over the past few years never really happened, it was all a dream. Also that malware running on your favorite Android device isn't really there, you can just ignore it.

I apologize for misleading you that open source in practice isn't perfectly secure.

/sarcasm off

Mobius Enigma said,

/sarcasm on

You know, you are right. There have been massive Windows Server compromises compared to open source OSes. The whole OpenSSL thing never really happened, in fact I personally made it up. Also none of the other open source based exploits discovered over the past few years never really happened, it was all a dream. Also that malware running on your favorite Android device isn't really there, you can just ignore it.

I apologize for misleading you that open source in practice isn't perfectly secure.

/sarcasm off

Congrats, you achieved a perfect strawman there.

Mobius Enigma said,

If you are going to analyze my sarcasm, at least get your terminology correct.

I'm not analyzing your sarcasm, I'm qualifying the content of your post: misrepresentation of the quote through exageration and oversimplification.

Just because you choosed to use sarcasm to attack the strawman you set up doesn't change the fallaciousness of your post.

I get hit all the time at work that we should move our platform to the LAMP stack as they constantly derail Windows Server and IIS as insecure and unstable in comparison to Linux and Apache. Yet, I have found that the worst security issues occur with Apache Tomcat and Apache Web Server

There's a lot that has to do with simple configuration. Back in the day, IIS' default state was to have pretty much every feature on, which gave it a broad attack surface. You could lock it down to reduce that attack area, but a lazy admin wouldn't, and a non lazy but non expert admin might miss something. More recent version of IIS have been the exact opposite, with almost everything initially disabled, needing the admin to activate that which they needed. Funny thing is though, Apache used to be where IIS is now, and it seems to be moving to where IIS used to be (more things on by default)

There are other issues to consider, of course, but this is an interesting one

Rudy said,
Early 2000s ISS was very insecure and ended up getting exploited a LOT.

Windows Server and IIS are two different things, it's like saying Linux is very insecure because of all the Apache vulnerabilities. (And there were quite a few of those.)

Rudy said,

Early 2000s ISS was very insecure and ended up getting exploited a LOT. I'm sure MS fixed it really good but it left a really bitter taste in a lot of people's mouth. Again like I said I'm sure it's secure now. Here's some of the malware that hit it back then:

Ah, I remember all the problems from those days. Windows Server became extremely secure around the time of 2003/2003 R2 when Microsoft started taking security seriously.

Article authors don't get alerted to comments, if you hover over the author name at the top of the article, you'll get a menu whose last option is "Report an issue". This will alert the author and get it fixed more quickly.

Sraf said,
Article authors don't get alerted to comments, if you hover over the author name at the top of the article, you'll get a menu whose last option is "Report an issue". This will alert the author and get it fixed more quickly.

was looking for that