Software developers, web site operators, and security consultants are rushing to fix a new internet security bug. The flaw has been found in OpenSSL which is a secure connection protocol that is used by millions of websites to encrypt sensitive information. Revealed on Monday 08 April, this is a serious flaw in a software security component that is widely used by websites and security devices around the globe. Many major sites are affected, and have already implemented patches to fix the problem. Red Hat and Ubuntu already have issued patches and affected sites include Amazon, Yahoo Mail, and even the FBI’s own web site. Devices such as firewalls and other perimeter security appliances are also affected.
The vulnerability allows an attacker to obtain usernames, passwords and encryption keys. OpenSSL is a widely deployed SSL library and it is used in many different applications, including several Linux distributions which are used to power the internet and the world wide web.
The advice to website owners and administrators is to patch the flaw immediately . The problem is that even after a system has been patched, the SSL certificates for that site might have been compromised. This is because the private key could be disclosed to hackers who exploit this vulnerability.At Lastpass, where the Bleeding Heart bug has already been patched, the use of a multi-layered defence means that customer data was never exposed by the flaw. The Lastpass blog explains that the company patched the vulnerability on Tuesday morning, but had other security measures in place that mitigated the risk. The approach taken by Lastpass illustrates the benfits of the Defence in Depth model that is adopted by Abilisys security experts when advising clients.
Recent Comments