A new security flaw affecting OpenSSL, the popular cryptographic library used by many websites, has been discovered and is reported to be very serious.
According to the Heartbleed website, the zero-day vulnerability found in OpenSSL affects the stable version 1.0.1 and the 1.0.2 beta version. Older versions of OpenSSL such as 0.9.8 used in Mac OS and iOS and 1.0.0 are not vulnerable to "Heartbleed". Although the vulnerability has been addressed in OpenSSL's version 1.0.1g, it is present in prior versions up to 1.0.1f. Exploiting this flaw, hackers can obtain primary and secondary SSL keys in addition to directly hijacking data being transferred over HTTPS.
Some web companies such as CloudFlare which provides security services for other websites, have used methods recommended by OpenSSL and patched the "Heartbleed" flaw but the methods are not ready for broad deployment according to a report from ZDNet.
Open source firms Red Hat, Debian, SuSE, Canonical, and Oracle are reportedly working hard to patch the OpenSSL vulnerability in their operating systems and are expected to release the patches in 12 hours. Administrators are advised to deploy these patches for operating systems and network equipment as soon as they are made available by manufacturers and software developers.
Source: Heartbleed via ZDNet | Image via Threat Post
23 Comments - Add comment