Heartbleed security patches coming fast and furious

Heartbleed security patches coming fast and furious

Summary: Fixes for the highly dangerous OpenSSL Heartbleed security hole are arriving now. Update your servers ASAP.

SHARE:

Make no mistake about it. The OpenSSL Heartbleed security hole is as serious for Internet security as a stage four cancer diagnosis would be for you. Worse still, OpenSSL 1.01 —  the one production version affected — had been shipping since March 12, 2012. That meant tens of millions of Web sites had been potentially vulnerable to attacks via this hole. Fortunately, OpenSSL repaired this with the release of OpenSSL 1.01g on April 7.

heartbleed

How bad is this bug? Popular sites such as Yahoo, Imgur, and OKCupid have all been hit by it. Since OpenSSL is the default secure-socket layer/Transport Layer Security (SSL/TLS) for the Apache and NGINX Web servers, some estimates claim that as many as two-thirds of all "secured" Web sites are vulnerable to Heartbleed.

Worse still, proof-of-concept scripts are now available for script-kiddies to try to attack secure Web sites. Is your Website vulnerable to such assault? You can check your site with the Heartbleed test.

The good news is that operating system companies are now delivering the OpenSSL patches to their clients. So far, the fixed Linux operating systems include: CentOSDebianFedoraRed HatopenSUSE, and Ubuntu; SUSE Linux Enterprise Server (SLES) was not affected.

If you are in any doubt about your servers' security, check it for the bug and update it as soon as possible with the appropriate patch. This is no time to fool around with your security. Your systems, users, and customers' security all depend upon fixing this problem as quickly as possible.

Related Stories:

Topics: Security, Networking, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

47 comments
Log in or register to join the discussion
  • You forgot one tiny thing

    IF your server is affected, not only patch openssl, revoke your website certificate, create a new private key and request a new certificate from whatever CA you are using, the chance that your private key has been leaked is there, making your ssl protection useless.

    I don't think the estimates are correct though, many websites are probably still running older versions of openssl, which are not affected.
    sjaak327
    • Web sites running Debian old-stable, as an example

      Debian old-stable is not vulnerable:

      http://www.debian.org/security/2014/dsa-2896
      Rabid Howler Monkey
      • Nor is CentOS 5

        A quick check indicates OpenSSL 0.9.8e, which doesn't have the bug. Conservatism does have its advantages.

        I just updated our server running current Debian stable; it was affected.
        John L. Ries
        • CentOS 6.5 was

          I had to patch it today.
          sjaak327
  • The Rest Of You

    please begin compiling "talking points" extolling the virtues of Linux and how secure it is and is therefore not susceptible to malware.
    Mujibahr
    • Meh!

      .
      daikon
    • Talking points

      Talking Point #1: Linux is so secure that when a bug is identified that leaves most of the internet open to hackers, nearly the entire linux community is able to patch the bug within hours of the vulnerability being reported.
      5up Mushroom
      • of course the fact

        That the bug was actually in the code for over two years does make the remarks that because it is open source, it by default less susceptible to coding errors a downright fairytale. Just as the remark that just because it is open sources such flaws are easily discovered.

        We are not talking about some obscure library either.
        sjaak327
        • From the openssl home page:

          "CVE-2014-0160: 7th April 2014
          A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.

          Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) "

          Maybe you don't understand the words: "This issue did not affect versions of OpenSSL prior to 1.0.1."?

          Nice try though
          anothercanuck
          • OpenSSL was released March 2012.

            Given it's April 2014 I'd say his comment of two years was right on the money.
            ye
          • I meant to say OpenSSL 1.0.1 was released March 2012.

            Need edit button ZDNet.
            ye
          • What nice try ?

            Of course are older version of openssl not affected, the feature was introduced in 1.0.1 which was released on march 2012, code was submitted in December 2011. My remark is factually correct.

            The code was in for over two years and in 7 subsequent versions of the library.
            sjaak327
        • not a fairytale

          "That the bug was actually in the code for over two years does make the remarks that because it is open source, it by default less susceptible to coding errors a downright fairytale."

          That's going to be my logical fallacy of the day. Which is pretty impressive since it's just 9:20am my time.

          I'm not going to comment on whether or not open source is more or less secure than closed source products, but I will ask this question: In what universe does one bug automatically invalidate years of security through openness?

          Your statement is equivalent to saying that the crash of one airplane invalidates remarks by people saying air travel is inherently safer than travel by automobile (for the record, your chances of being killed in a car crash are far greater than being killed in an airplane accident).

          So I'm not sure if you are trying to troll or you just don't understand the concept of equivalency. Either way, good troll, sir, good troll.
          rascellian
          • you and I both know

            This isn't the first major bug in open source software, and you and I are both sure it won't be the last.

            The notion that just because open source is 'open' and because everyone can review the source code it suddenly would be better or more secure is indeed a fairy tale. As if closed source products coded by commercial companies do not go through rigorous code review and testing.

            This example, and quite a few before it simply show that most people do not review code and the few that do might overlook the flaw. This happens on both sides of the fence, simply because on both sides humans are doing the work.

            No attempt at trolling, just applying common sense combined with relevant history.
            sjaak327
          • Unfair misrepresentation of the issue!!

            My my. As I once heard someone say; "How the tune changes as the movie plays out".

            The point is not that people are suddenly saying a single plane crash is proof that planes are as dangerous as cars. Not at all.

            The point IS as follows:

            Not all opensource enthusiasts are nuts any more then all Mac users or Windows users are nuts. But some in each camp are. The ones that are nuts make claims that are of any combination of; ridiculous, outrageous, greatly exaggerated, largely irrelevant, or outright lies. There are too many from each camp that come to read, post and play at ZDNet. And at one time or another any of them might be doing any of the above each and every day here.

            They make the above ridiculous and stupid remarks they do because they seem to think there is some kind of "war" going on between Macs, Windows and Linux that has to be won by their side at all costs. There is business competition, not a war. They need to extract their shabby self esteem from their operating system of choice and come back to the world of the living and personal self worth.

            If someone from the Mac camp or Windows camp is saying that "one bug automatically invalidates years of security through openness" then they are one of the NUTS and should leave all the sane ones here alone and just go away and bug someone else.

            ON THE OTHER HAND....

            One of the reason the fires of these imaginary OS wars have raged on endlessly here is that there has been a special kind of fuel frequently added from time to time that keeps the fires burning.

            Inferring and implication and innuendoes are at the root of that special fuel.

            What the inferences and implications and innuendoes have been from the nuts in the Linux camp have been is that because open source has some security advantages that those advantages mean that Windows is so lax in security that most if everyone should leave Windows behind. And that is nuts.

            That would be like saying that because airplanes are safer then cars that people should give up cars in favor of flying.

            Your analogy between cars and planes speaks to the truth of the matter far more than you might ever have considered. The implication has always seemed to be that its not just that Linux is "more" secure then Windows, but that its so much more secure as to make it practically impervious. Now I know the oh so clever nut bars will jump to the rescue here and claim they never said that, but I have already pointed out that this has simply been the "inference" or "implication", not the spoken word, even though I have seen many instances that have come plenty close to the spoken word itself.

            The whole "open source" vs. Windows security battle has repeatedly failed to address the bottom line reality of PC security, and the end result has been endless bickering about the security differences. And in practical terms for the world in general, the argument is "pie in the sky" moot.

            So firstly, no, one bug does not automatically invalidate years of security through openness. Secondly, whatever great level of security, and for that matter even stability, Linux has to advantage over Windows in no way represents sufficient reason for the vast majority of Windows users to even consider switching to Linux. It would be every tiny bit just as illogical to assert that the better safety of airplanes means the vast majority of people should give up the automobile.

            We all know and accept inherently that even with the poorer safety record of the automobile that they are safe enough, particularly when used in a reasonable manner, that almost everyone, countless millions who travels by automobile will not be involved in a catastrophe and because of the many other good things an automobile has going for it that means that nobody should be inclined to give up their car just because of a plane being safer. Likewise with Linux security vs. Windows security.

            This should seem obvious. But given the ridiculous battle that rages on even today about how wonderfully secure Linux is and how that should induce just about anyone to switch operating systems from Windows. And it seems that the only way the Linux enthusiasts can really drive home the point, due to the reality that Windows does not collapse everyday by the millions, is to all but imply outright that Linux is practically impenetrable. Admittedly; if that was true, it would be a pretty good point. Being much more secure is one thing. Being impervious to present and future assaults is fairly amazing.

            The end result is, Windows enthusiasts find themselves snubbed in the debate when they claim they find Windows security not to be a problem. Again, its one thing to say you don't have any major or significant security problems, but if your comparing yourself to a system whos advocates imply its practically invincible because its of open source origin, well, you get snubbed.

            So, it should be of no wonder at all that when an open source product that is heavily relied upon through large swaths of the internet falls prey to a built in vulnerability that creates the potential for disaster, you get pointing fingers from the Windows crowd as proof that even the most important of open source programming is definitively not impervious and as a result is at least some proof that any open source product may have hidden and undiscovered vulnerabilities that could be discovered leading to disastrous results.

            While the reality still is that one bug does NOT automatically invalidate years of security through openness, it does prove beyond any doubt that the nit picking about Windows security is in the big picture POINTLESS. We live in a world of proof that no system is perfect, and we have seen the impact of unloading millions on millions of copies of any code base of an OS on the public, soon reveals short comings, as in both iOS and the Android OS.

            Is any popular OS in the world today worth switching out of simply because its security is that bad?

            No! 100%+ NO! No popular OS has to this day show such a poor security performance that for any average user its worthwhile switching operating systems based on bad security.

            So let it go. Its not of issue in some general way. Certainly not the way people have waged wars on it around here. If security is a special issue for you and its what you value way higher then anything else then that has to be a good selling point for Linux. But if you are much like the many hundreds of millions of users around the world who are average people who are not hiding the combination to the lock on Fort Knox, then security is good enough by far in all the major OS's to make it a back seat issue by far, at least until you hear something new or different.

            And as we seen with Heartbleed, if and when there is something new, that doesn't mean its going to be something bad from Windows, it could even be something truly horrible from open source.

            You never know.
            Cayble
      • The entire community?

        From this article is sounds like *some* Linux distros have a patch ready, but no where does is say ALL do.

        Furthermore, the only reason these patches are stumbling out now is because some jackhats spilled the beans early and left many developers scrambling to fix or create patches in a mad rush.

        This is a case where the open nature of Linux didn't work and actually worked against a better result.
        Emacho
    • The open vs closed source debate will rumble on, but...

      This fiasco begs some pretty serious questions of our so-called "security services" Doesn't it?

      Perhaps if the spooks spent as much of their vast resources looking for serious threats such as this, as they do bugging our phones and hacking our Facebook accounts, our world would be a much safer place?
      mrgoose
  • Oh Please...

    Anything is subject to programming flaws. We are a Windows only shop (software constrains OS choice) and as much as I might dislike other aspects of Linux (supportability), I'm envious of the fact that Linux was designed from the ground up with fundamental focus on security.
    ghastly
    • So was Windows.

      Your point?
      ye
      • For a carefully chosen definition of "Windows", eh?

        I gather you're not including Windows 3.1, Windows 95, Windows 98 and Windows ME in your definition of "Windows... from the ground up".

        And even with the NT kernel, the hardware DEP support wasn't enabled by default in WinXP and allowed programs to "opt out" even when you did enable it!
        Zogg