Heartbleed: Serious OpenSSL zero day vulnerability revealed

Summary:A new OpenSSL vulnerability has shown up and some companies are annoyed that the bug was revealed before patches could be delivered for it. Updated April 8.

New security holes are always showing up. The latest one, the so-called Heartbleed Bug in the OpenSSL cryptographic library, is an especially bad one.

heartbleed
Heartbleed OpenSSL zero-day vulnerability.

While Heartbleed only affects OpenSSL's 1.0.1 and the 1.0.2-beta release, 1.01 is already broadly deployed. Since Secure-Socket Layer (SSL) and Transport Layer Security (TLS) are at the heart of Internet security, this security hole is serious.

The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.

This bug not a problem with OpenSSL's inherent design. It's an implementation problem. That is to say it the result of a programming mistake. There is already a fix available for the problem for the 1.01 program in OpenSSL 1.0.1g. Work is proceeding rapidly for a pair of the 1.02-beta line.

That's bad enough. but what really has some operating system and security companies ticked is that OpenSSL and others were hard at work at delivering the patched versions that would have limited the problem's possible use by blackhat hackers, CloudFlare, a Web security company, revealed in a blog posting details about the security hole and that they've fixed the bug. They appear to have used the methods described by OpenSSL. Unfortunately, for everyone else, these methods were not ready for broad deployment.

According to one senior security developer at a major operating system company, "The main problem with what CloudFlare did was that they jumped the gun before the FIRST AVAILABLE patches were available to users. You don't open the door and wave a red flag before the patches are ready to go."

John Graham-Cumming. a CloudFlare programmer, insisted that this misrepresented CloudFlare's 
impact on the news of the Heartbleed security hole since the OpenSSL annoucement had been posted to Hacker News earlier.

At this time, I am informed by sources that Red Hat, Debian, SuSE, Canonical, and Oracle, to name a few, are working at a feverish pace to get the patched versions of OpenSSL out to their clients. It's expected that it may take approximately 12-hours to deliver the patches. When do they become available anyone using OpenSSL 1.01 or 1.02 must deploy the patched version as fast as possible.

Related Stories:

Topics: Security, Networking, Open Source

About

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system; 300bps was a fast Internet connection; WordStar was the state of the art word processor; and we liked it.His work has been published in everything from highly technical publications... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.