Heartbleed vulnerability may have been exploited months before patch


guthrieinator There’s good news, bad news, and worse news regarding the “Heartbleed” bug that affected nearly two-thirds of the Internet’s servers dependent on SSL encryption. The good news is that many of those servers (well, about a third) have already been patched. And according to analysis by Robert Graham of Errata Security, the bug won’t expose the private encryption key for servers “in most software” (though others have said several web server distributions are vulnerable to giving up the key under certain circumstances.) The bad news is that about 600,000 servers are still vulnerable to attacks exploiting the bug. The worse news is that malicious “bot” software may have been attacking servers with the vulnerability for some time—in at least one case, traces of the attack have been found in audit logs dating back to last November. Attacks based on the exploit could date back even further. Security expert Bruce Schneier calls  Heartbleed  a catastrophic vulnerability. “On the scale of 1 to 10, this is an 11,” he said in a  blog post today.  The bug affects how OpenSSL, the most widely used cryptographic library for Apache and nginx Web servers, handles a service of Transport Layer Security called Heartbeat—an extension added to TLS in 2012. Read 9 remaining paragraphs | Comments

Visit site:
Heartbleed vulnerability may have been exploited months before patch


Please enter your comment!
Please enter your name here


This site uses Akismet to reduce spam. Learn how your comment data is processed.