Heartbleed Clean-up Could Take Months

News Article - Tuesday, 22 April 2014 14:59

By: Kerry Butters Category: Security

The massive task of cleaning up after the Heartbleed bug could take months, according to leading research company Secunia.

In an interview with The Register , Kasper Lindgaard, Secunia head of research said that "everybody is now playing catch-up", especially as more and more affected products come to light. It’s thought that the Open SL vulnerability affects routers and switches as well as secure web servers.

Additionally, a large number of software applications are also affected, including VoIP and VPN apps and it’s thought that the rush to release fixes "could have a significant impact on network speeds”, essentially slowing the entire internet.

The bug has forced millions of internet users to change their passwords and whilst it has been around for about two years, it’s not thought to have been attacked maliciously as of yet, although it’s thought that attacks carried out via the bug leave no trace.

Heartbleed was discovered earlier this month by Codonomicon and is a security vulnerability that allows attackers the ability to listen in on communications and steal data. It’s found in the heartbeat extension of OpenSSL, which is widely used to secure online connections including email, chat and private networks.

OpenSSL users are advised to switch to Fixed OpenSSL, the updated version that doesn’t contain the vulnerability.

According to Lindgaard, Secunia issued advisories relating to the bug for 46 IT vendors for a total of 218 products and he warned that some vendors are not being completely transparent about the effect of the bug on their products.

However, he cited Cisco and Oracle as being transparent, saying that Cisco has already identified 44 vulnerable products and are still investigating a further 68. At the moment though, there are only patches available for four  of them but they are making slow but steady progress.

"Most vendors have been doing a great job on creating a good overview of affected/unaffected products and any potential patches but other vendors are hiding this information in small notices on their download page or even in password protected pages," Lindgaard explained.

"This is rather unfortunate as this provides less openness about how widespread the vulnerable Heartbleed landscape actually looks, and makes it subsequently harder for people to properly assess risk in their environments, as they might not have noticed the hidden information."

"The vendors are gaining nothing but in increased risk to their customers by hiding this information, as malicious persons will test for Heartbleed anyway,” he added.

He went on to say that it’s likely to take vendors months, not weeks, to roll out fixes and that Heartbleed is likely to have a long term impact.

Recent Articles