Patch/Configuration Management, Vulnerability Management

Vulnerable organizations respond to encryption-breaking ‘Heartbleed Bug’

In the hours immediately following the grand disclosure of the Heartbleed Bug, a critical vulnerability in widely used versions of the OpenSSL library, most affected organizations worked feverishly to plug the hole that could result in decryption of communications that use SSL/TLS encryption.

OpenSSL 1.0.1 through 1.0.1f carry the bug and, right off the bat, internet corporation Yahoo was found to be one of the big companies running one of the vulnerable versions – but not for long after the disclosure, according to a statement emailed to SCMagazine.com on Wednesday.

“Our team has successfully made the appropriate corrections across the main Yahoo properties and we are working to implement the fix across the rest of our sites right now,” according to the statement, which adds that those properties include Yahoo Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr.

Yahoo did not respond to a query about whether it would adopt Perfect Forward Secrecy, a feature long wanted by the community, which would have prevented decryption via the Heartbleed Bug, Seth Schoen, senior staff technologist with the Electronic Frontier Foundation (EFF), told SCMagazine.com on Tuesday.

On the flipside, OkCupid, a popular dating website, has been using Perfect Forward Secrecy for a long while, at least for browsers that support it, Mike Maxim, head of infrastructure with OkCupid, told SCMagazine.com in a Wednesday email correspondence.

Although past traffic is secured, OkCupid was still running one of the vulnerable versions of the OpenSSL library.

“As a result of the bug, as of yesterday, we have upgraded our system to use the new, unaffected, version of OpenSSL (1.0.1g),” Maxim said. “In addition, we have reissued our SSL certificate after we upgraded OpenSSL. Users should not feel unsafe on the site. To be the most careful, a user can also change their password.”

Perhaps ironically, the Heartbleed Bug has not impacted OkCupid's traffic, Maxim said, explaining that, to the contrary, traffic right now is at an all-time high.

Meanwhile, website platform Pantheon spent the better part of 12 hours patching more than 60,000 Drupal and WordPress sites, according to a detailed blog posted Wednesday by David Strauss, CTO with Pantheon. The company fixed the problem by taking advantage of its unified, container-based infrastructure and was completely patched by Monday evening, Strauss wrote.

“While the people who discovered the vulnerability claim that it's possible to use the exploit to obtain the private keys of certificates, I haven't seen this exploit proven in the wild yet,” Strauss told SCMagazine.com on Wednesday. “That's the only exploit anything on Pantheon would be vulnerable to, given our separation of TLS termination from application servers. So, getting our servers locked down against the attack was priority one.”

Numerous other websites were running a vulnerable version of the OpenSSL library too – including Stackexchange.com, Archive.org, and Steamcommunity.com – which drew a lot of attention away from the susceptible mobile realm.

“We determined from our research that Android is shipping with the vulnerable version of the OpenSSL library installed,” Andrew Blaich, leader of the Android Research Team at Bluebox Security, told SCMagazine.com on Wednesday. “If the library is exploitable on the device then it can lead to the leaking of memory on the client side that can contain sensitive information.”

Any application running on an Android device, whether a smartphone or a tablet, is at risk, Blaich said, adding that Apple devices do not ship with OpenSSL, but developers who have included it in their iOS apps need to update.

[An earlier version of this story incorrectly stated that Pantheon was completely patched by Tuesday evening].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.