Researchers say that a bug in software used by millions of web servers could have exposed anyone visiting sites they hosted to spying and eavesdropping.
The OpenSSL library is deployed in a huge number of operating systems and applications including a wide variety of Unix and Linux distributions, as well as OS X, popular Web servers such as Nginx and Apache, and some major cloud-based applications and platforms including CloudFare. It is supposed to protect data as it travels back and forth.
Through a bug, it seems that it’s possible to trick almost any system running any version of OpenSSL from the past two years into revealing chunks of data sitting in its system memory. Researchers called it the “heartbleed” bug because it occurs in the heartbeat extension of OpenSSL.
The bug was discovered by researchers working for Google and security firm condemnation. They said serious vulnerability allowed anyone to read chunks of memory in servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys to scramble data as it passes between a server and its users.
“This allows attackers to eavesdrop on communications, steal data directly from the servers and users and to impersonate services and users.”
“It’s the biggest thing I have seen since the discovery of SQL injection,” said Kevin Munro, a security expert at Pen Test Partners. SQL injection is a way to extract information from the databases behind websites and services using specifically crafted queries.
Full protection might require updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys.
“We encourage everyone else running a server that uses OpenSSL to upgrade to version 1.0.1g to be protected from this vulnerability. For previous versions of OpenSSL, re-compiling with the OPENSSL_NO_HEARTBEATS flag enabled will protect against this vulnerability. OpenSSL 1.0.2 will be fixed in 1.0.2-beta2,” says Nick Sullivan of CloudFare.
Some researchers have produced tools that help people work out if they are running vulnerable versions of OpenSSL, in order to help people check their systems.
Source: BBC