Jump to content

Heartbleed Bug


BornSlippy
 Share

Recommended Posts

  • 1 month later...

ANY software, product or network appliance that uses vulnerable versions of OpenSSL are affected.

 

http://www.openssl.org/news/secadv_20140407.txt

 

OpenSSL Security Advisory [07 Apr 2014]========================================TLS heartbeat read overrun (CVE-2014-0160)==========================================A missing bounds check in the handling of the TLS heartbeat extension can beused to reveal up to 64k of memory to a connected client or server.Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including1.0.1f and 1.0.2-beta1.Thanks for Neel Mehta of Google Security for discovering this bug and toAdam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> forpreparing the fix.Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediatelyupgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.1.0.2 will be fixed in 1.0.2-beta2.

 

Reference:  CVE-2014-0160

Link to post
Share on other sites

ANY software, product or network appliance that uses vulnerable versions of OpenSSL are affected.

I do think it is important to note that, when connecting to a trustworthy server (such as when browsing Amazon, NewEgg, etc) your 'client' (in this example your web browser, if its uses the effected OpenSSL versions to handle TLS encryption) is not going to be exploited. Obviously if you are suffering from browser hijacks, DNS hijacks, etc. then that cannot be guaranteed, however you should never enter sensitive information when there is any sort of infection on your computer to begin with, and especially if you are being redirected to other websites when you try to do searches or shop online.

In the case of clients (such as web browsers), the server you connect to is what exploits you, so as long as your computer is not infected, your DNS has not been hijacked, and you are sticking to trustworthy websites, then your web browser will not have been compromised. Regardless, you should always[/]i install the latest security updates for your web browser and operating system.

Link to post
Share on other sites

a little curious note :

of late , avast has been "sending" slide-up blurbs that query what the user is doing to "protect themselves" from heartbleed and prompting the user to "click here for further information" .

Link to post
Share on other sites

Avira mobile for Android and iOS now has an identity secutiry thing that tells you if your email or any of your contacts have been pwned too.

Im not sure how they determine this but the one contact it told me was "breached" got phished on a Steam account attached to that email.

Anyone know how these "have i been pwned" services really make their databases?

Link to post
Share on other sites

Cant edit:

I know there are listings of sites and services compromised specifically by heartbleed as well as those compromised by other means.

Im asking in general how they assemble a database of stuff thats been compromised. Its got to be something more than the company disclosing the info voluntarily right?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.