Heartbleed, what is it?

Heartbleed, what is it? and how SO Marketing have made sure the customer are safe by patching servers.

If a ‘Heartbleed bug’ sounds like it would be bad news for your body’s system, in reality it’s even worse for your computer’s. This vulnerability is big, and it’s probably affecting you, right now.

What’s the crack?

Recently the OpenSSL Project spoke about the recently discovered CVE-2014-0160 vulnerability. Approximately 60% of websites use OpenSSL, but this doesn’t mean that all of these necessarily use the vulnerable versions, so the actual number of affected sites is likely to be much smaller Of our own websites, only a small proportion use Open SSL functionality. .

Which in simple terms means:

Put simply, Heartbleed is a security vulnerability in the popular OpenSSL, which is a type of encryption software used to secure highly sensitive data like passwords and other important things (you’ve probably seen it represented as the padlock in the address bar of your browser). It allows attackers to see sensitive, encrypted data if it’s on a vulnerable site. They don’t leave a trace and can then use this data to impersonate users of the site.

Researchers from Google and security group Condenomicon discovered the issue, and since then there has been a rush to update software and protect users’ data. The bug allows attackers to grab 64kb chunks of memory from a server, laying bare all the things; from passwords and usernames to credit card numbers and home addresses. Roughly half a million websites are thought to have been affected.

Normally security glitches come and go but they’re usually resolved fairly quickly. Considering the long exposure, ease of exploitation and that the attacks leave no trace, this breach should be taken seriously.

The bug was introduced to OpenSSL in December 2011 and has been roaming around since the OpenSSL released 1.0.1 on 14th of March 2012; but OpenSSL 1.0.1g released on 7th of April 2014 claims to fix the bug.

What are they doing about it?

“As long as the vulnerable version of OpenSSL is in use it can be abused,” the Heartbleed website states. “Fixed OpenSSL was released but it has to be deployed en masse,” the website added. “Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”

At SO Marketing, our hosting provided UKFast hasn’t been affected but we are helping clients with any issues they’re experiencing. We have taken measures already to patch the vulnerability in the server operating system software that we use to prevent any issues as soon as possible.