|Last 7 Days News :
Wednesday, April 09, 2014
OpenSSL Cryptographic Bug Poses Threats User Data
A newly discovered bug in in the popular OpenSSL cryptographic software library has made data on many of the world's major websites vulnerable to theft by hackers.
The so-called "Heartbleed Bug" allows stealing the information
protected, under normal conditions, by the SSL/TLS encryption
used to secure the Internet. SSL/TLS provides communication
security and privacy over the Internet for applications such
as web, email, instant messaging (IM) and some virtual private
The vulnerability could enable remote attackers to access
sensitive data including passwords and secret keys that can
decode traffic as it travels across the Internet.
The U.S. government's Department of Homeland Security has
already advised businesses to review their servers to see if
they were using vulnerable versions a type of OpenSSL.
A fixed OpenSSL has been released and now it has to be
The bug was introduced to OpenSSL in December 2011 and has
been out in the wild since OpenSSL release 1.0.1 on 14th of
March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes
Status of different versions of the OpenSSL:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Security experts estimate that hundreds of thousands of web
and email servers around the globe need to be patched as soon
as possible to protect them from attack by hackers.
And according to a recent report from the Arstechnica.com web
site, Security researcher Mark Loman was able to extract data
from Yahoo Mail servers by using a free tool.