SANS warns end users against Heartbleed patch panic

SANS warns end users against Heartbleed patch panic

Summary: While Heartbleed client-side attacks are possible, the SANS Institute warns that home users rushing to patch are more at risk of falling for scams — but change passwords regardless.

TOPICS: Security

The focus shifted to the risk of Heartbleed client-side attacks and recommendations for end users at the fourth briefing on the bug from the SANS Institute's Internet Storm Centre (ISC), held on Saturday morning Australian time (Friday afternoon US time).

"A lot of the effort initially has been on servers, and servers are certainly at the most risk — not just web servers, but mail servers, and all of that good stuff as well. Everything that uses OpenSSL with an affected version is vulnerable, whether it's a client, whether it's a server — and of course as an end user, you're mostly concerned about the client part," said SANS presenter and ISC chief technology officer Johannes Ullrich.

Clients are indeed vulnerable, said Ullrich, but not the most popular ones. At the operating system level, Apple's OS X uses OpenSSL version 0.9.8, not the Heartbleed-vulnerable version 1.0.1, and Windows doesn't use OpenSSL at all — although there can be a risk from Windows application that have been statically compiled against OpenSSL libraries.

"It's unlikely that a normal, average home windows user has OpenSSL on their system," Ullrich said. "You're not going to run a web server on your home Windows machine."

Android devices are the main client-side risk, as discussed in the previous day's briefing, because it's the only major operating system that uses OpenSSL widely.

"The first message [for home and family users] is 'Do not patch.' This sounds counter-intuitive, and yes there may be software that people have installed that does use OpenSSL," he said. But for home users who've seen Heartbleed scare stories in the mainstream media, being caught by scams is the greater risk.

"'Hey CNN is talking about a big vulnerability, I probably need to apply a patch. Microsoft didn't supply me with a patch, so that email I received, that's probably the patch I was looking for.' We have already seen some of these phishing attempts."

The second message is that, yes, changing passwords to online services is "probably a good idea", Ullrich said. "Even if if didn't get leaked, it's probably not going to break anything." And, because changing so many passwords is a pain, get a password manager.

"If you still have to remember all your passwords, and if you are able to do so, your passwords are too weak," he said.

SANS ISC has posted advice on How to talk to your kids (or manager) about Heartbleed, including praise for the xkcd cartoon that explains ow Heartbleed works, and is continually updating a list of client-side applications known to be vulnerable.

Topic: Security


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • At bloody Bleeding last

    An Article that makes sense !
  • LibreOffice prior to v4.2.3 is vulnerable to the Heartbleed vulnerability

    I'm sure that there are some "normal, average home windows users" running LibreOffice on their Windows systems. Not to mention some normal, average home Mac users running LibreOffice on their OS X systems.
    Rabid Howler Monkey
    • Probably not high risk ...

      I would imagine the only use for this module is when LibreOffice on Windows or Mac calls home for some reason like when the user wants to add an extension or something like that. But it would not be high risk to update it either as long as the user procures the update from the site. But its an interesting case. Thanks for pointing it out.
      George Mitchell
      • What about document encryption?

        Rabid Howler Monkey
      • Or, possiby, a connection to a remote database?

        In addition to being a personal database, Base also serves as a front-end to commercial database management systems.
        Rabid Howler Monkey
        • base may be a front end...

          But it doesn't open ports for incoming requests.

          It is a client of remote databases.
    • But how many people...

      ...use LibreOffice for encrypted communications?

      I'll upgrade anyway, but I doubt this is a huge risk.
      John L. Ries
    • Munich under attack

      Client exploit thru heartbleed is potentially more lucrative as the returned payload is more likely to contain useful data rather than random junk.
    • what part of LibreOffice?

      Thanks for the link, but it doesn't elaborate on what part of LibreOffice uses openSSL.
      Cloud file access?
      SQL access?
      collaboration features?
      is it ALL internet traffic from LibreOffice?

      would really like to know.....
  • Most Linux distros put patches out immediately ...

    I know I received a patch the first day it hit the press. In that light it is hard to figure out why Android is such a mess. The initial fix is pretty simple. They just disable the heartbeat feature in the source, recompile, and distribute the binary down through the automatic update system as a stopgap while they are testing the new heartbeat feature. Why is this so complicated for Android hardware vendors when all the major Linux distributors can do it in no time? This is one of the things I really don't understand about Android.
    George Mitchell
  • I don't see it as a client vulernability in any case.

    A server, yes - it opens ports for any connection.

    But a client system (even Android) doesn't do that. It does open a connection to a server, and that server may be vulnerable.

    If the server just disables the heartbeat function there should be no problems whatsoever.