SANS warns end users against Heartbleed patch panic

While Heartbleed client-side attacks are possible, the SANS Institute warns that home users rushing to patch are more at risk of falling for scams — but change passwords regardless.

The focus shifted to the risk of Heartbleed client-side attacks and recommendations for end users at the fourth briefing on the bug from the SANS Institute's Internet Storm Centre (ISC), held on Saturday morning Australian time (Friday afternoon US time).

"A lot of the effort initially has been on servers, and servers are certainly at the most risk — not just web servers, but mail servers, and all of that good stuff as well. Everything that uses OpenSSL with an affected version is vulnerable, whether it's a client, whether it's a server — and of course as an end user, you're mostly concerned about the client part," said SANS presenter and ISC chief technology officer Johannes Ullrich.

Clients are indeed vulnerable, said Ullrich, but not the most popular ones. At the operating system level, Apple's OS X uses OpenSSL version 0.9.8, not the Heartbleed-vulnerable version 1.0.1, and Windows doesn't use OpenSSL at all — although there can be a risk from Windows application that have been statically compiled against OpenSSL libraries.

"It's unlikely that a normal, average home windows user has OpenSSL on their system," Ullrich said. "You're not going to run a web server on your home Windows machine."

Android devices are the main client-side risk, as discussed in the previous day's briefing , because it's the only major operating system that uses OpenSSL widely.

"The first message [for home and family users] is 'Do not patch.' This sounds counter-intuitive, and yes there may be software that people have installed that does use OpenSSL," he said. But for home users who've seen Heartbleed scare stories in the mainstream media, being caught by scams is the greater risk.

"'Hey CNN is talking about a big vulnerability, I probably need to apply a patch. Microsoft didn't supply me with a patch, so that email I received, that's probably the patch I was looking for.' We have already seen some of these phishing attempts."

The second message is that, yes, changing passwords to online services is "probably a good idea", Ullrich said. "Even if if didn't get leaked, it's probably not going to break anything." And, because changing so many passwords is a pain, get a password manager.

"If you still have to remember all your passwords, and if you are able to do so, your passwords are too weak," he said.

SANS ISC has posted advice on How to talk to your kids (or manager) about Heartbleed, including praise for the xkcd cartoon that explains ow Heartbleed works, and is continually updating a list of client-side applications known to be vulnerable.

Show Comments