Microsoft patches Heartbleed in Windows 8.1 VPN client

Microsoft patches Heartbleed in Windows 8.1 VPN client

Summary: A Juniper VPN client that shipped with Windows 8.1 is vulnerable to Heartbleed. Microsoft has released a fix through Windows Update.

SHARE:

Microsoft has announced the availability of an update for Juniper Networks Windows In-Box Junos Pulse VPN client.

The Juniper Windows In-Box Junos Pulse VPN client is a third party VPN client that shipped with Windows 8.1. As announced in a Juniper disclosure, it is vulnerable to Heartbleed.

The program shipped with both 32-bit and 64-bit versions of Windows 8.1, as well as Windows RT 8.1. All versions are affected and updates are available for all.

In addition to Windows Update, the updates may be downloaded from Knowledge Base article KB2962140.

Win8.1.Juniper.VPN.Update

Topics: Security, Microsoft, Windows 8

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Fantastic inertia

    I patched my own heartbleed bugs close to one month ago.
    X15meshman
  • Curious...

    I thought this was a server vulnerability. How does this affect a client? (Not being trite, I didn't know it affected clients.)
    robradina@...
    • My thoughts as well...

      Not really sure how this would impact Windows. I thought it was the ability to send a packet to a site using OpenSSL that would then return the contents of memory. Not sure why your client would have SSL allowed to it, let alone on the VPN adapter... Probably why it wasn't a huge rush to patch.
      LiquidLearner
      • Heartbleed can affect clients too

        A lot had been written on this
        larry@...
      • Just to put info here for other readers

        Yes, the heartbleed bug applies to CLIENTS that use OpenSSL.

        This can be exploited in the following scenario, you access a malicious site that sets up an encrypted connection, then the malicious server sends the heartbeat packets to you the client and can get the contents of your client system memory.
        Technical John
      • OpenSSL

        Yeah, that's my guess as well, perhaps they use OpenVPN? I use Ironsocket and they updated their stuff within a day (https://ironsocket.com/blog/ironsockets-response-to-the-heartbleed-bug/). I can't believe it's taken this long for these guys to do the same though, I'd changed ALL my passwords within 24 hours of hearing about Hearbleed.
        Artisinal
    • It is an OpenSSL vulnerability

      that means it affects any service or client using the library. Both ends of the connection need to use SSL, therefore both ends need an SSL library.

      That is why Android 4.1 is also affected, as are various apps, security suites and networking devices.
      wright_is
  • Equivalent of a driver

    Apparently it is a third-party add-on selectable when a VPN connection is set up. Technically not a Microsoft item, but since it is in the Windows 8.1 stack if the supplier (Juniper) considers it important, it gets patched. Notice it was out-of-band as well (like the IE patch). And all copies of Windows 8.1 were updated, since it was in the package. One of the disadvantages MS has - if it got supplied with Windows, it has to be updated, whether or not it was actually being used. In this case, if you weren't setting up a Juniper VPN connection, it didn't matter. Now what THEY were doing to their client portion that involved the affected OpenSSH component...
    jwspicer
  • I wonder why Juniper didn't use Win8's own SSL implementation?

    There's no reason for OpenSSL not to support Win8, of course. But as a developer, I would always choose to use a platform's native library over a third party library. If nothing else, it would make the final binary smaller. So I wonder what the reasoning here was?
    Zogg
    • Juniper's VPN software runs on Linux, Mac, and Windows

      So it uses OpenSSL as OpenSSL is common across all platforms.
      anothercanuck
      • Does that necessarily follow?

        Linux and Mac share common POSIX APIs. However, my experience of POSIX on Windows platforms is that it's considerably "less than good".

        Are you saying that Juniper on Win8 is also written using POSIX APIs? Because if it isn't then the Windows and Mac/Linux code-bases must already have diverged.
        Zogg
        • Posix?

          What do you base your "less than good" on? I've had the complete opposite experience.
          Narg
          • I'm talking about the Windows POSIX layer.

            Which I was singularly unimpressed with! The fundamental philosophy of POSIX-based systems is that "Everything is a process or a file"... But on Windows (for example), file handles and sockets are distinct beasts.
            Zogg
  • How about fixing Pulse

    The user credentials for Juniper Pulse in W8.1 are there to input but greyed out. When you try to connect, it rejects due to not having credentials.
    Rann Xeroxx
  • Wrong company...

    Microsoft didn't patch it, Juniper did. It wasn't Microsoft software, it was Juniper's. Bad article title. Very bad.
    Narg
    • That makes sense

      Probably just an honest mistake though, no need to go postal, lol
      Artisinal