Articles about heartbleed

Researcher: DJI RCE-holes offered me $500 after I found Heartbleed etc on its servers

Updated Chinese drone-maker DJI’s bug bounty programme has been struck with fresh controversy after a security researcher claimed he was offered just $500 for reporting, among others, the years-old Heartbleed vulnerability. Infosec chap Sean Melia – no stranger to bug bounty programmes – said he discovered that DJI’s servers not only …
Gareth Corfield, 28 Nov 2017

F5's Big-IP leaks little chunks of memory, even SSL session IDs

There's a new branded bug in town, but thankfully it only hurts kit made by F5 Networks. “Ticketbleed” (so named for a similarity to the notorious 2014 Heartbleed) is specific to F5's Big-IP appliances and can strike when virtual servers running on those boxes are configured with a Client SSL profile that has the non-default …
Stormtrooper heart photo via shutterstock

It's 2017 and 200,000 services still have unpatched Heartbleeds

Some 200,000 systems are still susceptible to Heartbleed more than two years and 9 months after the huge vulnerability was disclosed. Patching efforts spiked after news dropped in April 2014 of the world's most well-known and at the time then most catastrophic bug. The vulnerability (CVE-2014-0160) that established the …
Darren Pauli, 23 Jan 2017
Rose and Jack drowning scene Titanic. Pic: Fox pictures

Cloud sellers who acted on Heartbleed sink when it comes to DROWN

Response to the critical web-crypto-blasting DROWN vulnerability in SSL/TLS by cloud services has been much slower than the frantic patching witnessed when the Heartbleed vulnerability surfaced two years ago. DROWN (which stands for Decrypting RSA with Obsolete and Weakened eNcryption) is a serious design flaw that affects …
John Leyden, 8 Mar 2016

Oracle's Larry Ellison claims his Sparc M7 chip is hacker-proof – Errr...

Analysis Oracle insists it really is going to sell computers powered by Sparc M7 processors – the same chips it started talking about in 2014. On Monday, Big Red breathlessly unveiled hardware powered by the beefy microprocessor, and on Tuesday, its supremo Larry Ellison lauded the 64-bit CPU's security defenses. One of these defenses …
Chris Williams, 28 Oct 2015

Thought Heartbleed was dead? Nope – hundreds of thousands of things still vulnerable to attack

More than a year after its introduction, the notorious HeartBleed security flaw remains a threat to more than 200,000 internet-connected devices. This according to Shodan, a search tool that (among other things) seeks out internet-of-things (IoT) connected devices. Founder John Matherly posted a map the company built showing …
Shaun Nichols, 15 Sep 2015

Feared OpenSSL vulnerability gets patched, forgery issue resolved

The promised patch against a high severity bug in Open SSL is out, resolving a certificate forgery risk in many implementations of the crypto protocol. Versions 1.0.1n and 1.0.2b of OpenSSL need fixing to resolve a bug that created a means for hackers to run crypto attacks that circumvent certificate warnings, as an advisory …
John Leyden, 9 Jul 2015
Crypto fingers

Amazon just wrote a TLS crypto library in only 6,000 lines of C code

Amazon Web Services has released a new, open source library that implements TLS encryption – the standard behind the secure HTTPS web protocol – using far less code than the prevailing OpenSSL library. Dubbed s2n for "signal to noise," the new library comprises just over 6,000 lines of C code. By comparison, OpenSSL consists …
Container meltdown

Docker Hub images buggy and vulnerable, say researchers

Docker Hub users are playing Russian Roulette with Heartbleed, Poodle and Shellshock, according to an analysis of a bunch of images by newly-launched outfit BanyanOps. The outfit is using the research to bring itself out of stealth-mode, apparently: the company only Tweeted “Hello World” on May 1. Its claim, blogged here, is …

IETF updates TLS/SSL best practice guidance

Do: start rolling TLS 1.3, support TLS 1.2, and DTLS 1.2. Don't: negotiate sessions using TLS 1, TLS 1.1, SSL 2 or SSL 3. Those are the Internet Engineering Task Force's latest recommendations, set out in RFC 7525, Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). …
heartbroken

Most top corporates still Heartbleeding over the internet

A depressing 76 percent of the top 2000 global organisations have public facing systems still exposed to Heartbleed, researchers say. The exposure means attackers could nab passwords, login cookies, private cryptographic keys and more using the vulnerability first disclosed 12 months ago. Australia is the least-repaired …
Darren Pauli, 8 Apr 2015
French fries

Sysadmins: Step away from the Big Mac. No more Heartbleed-style 2am patch dashes

Patching is a necessary evil for network administrators. Unfortunately, an awful lot of them have been burning not only the midnight oil, but also the weekend oil to keep up with patches such as – but not limited to – Heartbleed and Shellshock. The bad news is that this is only the start. As software vendors move towards a …
Stuart Burns, 4 Mar 2015
Toilet

Sysadmins disposed of Heartbleed certs, but forgot to flush

Sysadmins' need for sleep and attempts to stop working at weekends have slowed down the response to Heartbleed, according to University of Maryland researchers – but more seriously, it's possible that a bunch of half-fixed websites retain some vulnerability to the bug. The problem, the researchers told the 2014 Internet …

Google puts down POODLE, now wants to eradicate breed

A trio of Googlers have released a tool to help sysadmins identify applications and services open to nasty transport layer security vulnerabilities such as POODLE, Heartbleed and Apple's gotofail. The dryly named nogotofail tool, written by Android engineers Chad Brubaker, Alex Klyubin and Geremy Condra, allows devs to set up …
Darren Pauli, 5 Nov 2014

The NO-NAME vuln: wget mess patched without a fancy brand

Sysadmins: another venerable and nearly-ubiquitous *nix tool, wget, needs patching because of a bug first reported by HD Moore. As the Red Hat Bugzilla report describes, the bug was a beauty: a recursive directory fetch over FTP would let an attacker “create arbitrary files, directories or symbolic links” due to a symlink flaw …
pipes

NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)

Gird your loins, sysadmins: The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent. (And indeed so it turned out to be - the Poodle vuln. You heard it here first. - Ed) Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is …
Darren Pauli, 14 Oct 2014
Now you've done it...

Hackers thrash Bash Shellshock bug: World races to cover hole

Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers. But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete. The flaw affects …
John Leyden, 25 Sep 2014

OpenSSL promises devs advance notice of future bugs, slaps if they blab

In the wake of Heartbleed, the OpenSSL project has decided that *nix distributions that use the popular crypto pack will get advance notice of upcoming security-related bugfixes. The project has decided that distributions that ship with OpenSSL will get some advance notice of issues ahead of fixes – an announcement on the …

Create a news alert about heartbleed, or find more stories about heartbleed.

Biting the hand that feeds IT © 1998–2017