back to article Fixing OpenSSL's Heartbleed flaw will take MONTHS, warns Secunia

Expunging the Heartbleed bug from vulnerable computers and gadgets is likely to take months, according to a leading vuln research firm. The cautionary assessment by Secunia comes as more and more products are judged to be vulnerable to the infamous OpenSSL security flaw. Heartbleed most obviously affected secure web servers …

COMMENTS

This topic is closed for new posts.
  1. unwarranted triumphalism

    I notice you're letting Apple off the hook for this one.

    1. Pascal Monett Silver badge
      Coat

      For the moment

      The media is just waiting for a declaration from Steve Jobs before deciding to go with leniency or overzealous outrage.

  2. Anonymous Coward
    Anonymous Coward

    It will never be eradicated. So many routers etc are deployed (with web-front ends for management) that user's can't update and ISPs can't be arsed to update. Then various embedded systems.

    Perhaps these companies basing the multi-billion dollar products should band together and pay the OpenSSL team more than the derisory combined total of US$2k pa they have been.

  3. vagabondo

    scaremongering

    Although serious, this particular bug was only in the OpenSSL repository for a little over a year. So for appliances, such as managed routers only those designed in that time will be vulnerable. And how many of them will have port 443 open to the world. If vulnerable routers have been distributed by e.g. ISPs, they should know their customers, and be able to issue upgrade notices.

    Few heavyweight servers will be affected as they tend to use long-term stable versions of crucial software. Machines that are kept at cutting edge or actively managed will have received security patches within a day or two of the disclosure/announcement.

    There may be problems with some Android based phones if the vendors choose not to push updates.

    We need some perspective here.

    1. Pascal Monett Silver badge

      "Machines that are kept at cutting edge or actively managed will have received security patches within a day or two of the disclosure/announcement."

      Really ? I'm sure that actively managed machines will have been patched quicker than others, but I'm also pretty much convinced that patching schedules tend to not be on the top of the urgency pile most of the time - until the waste product encours the rotating propulsion system, that is.

      Now that it has happened, all high-profile web sites are on the ball, no doubt, but I'm certain that we'll be hearing about this bug for as long as we've heard about unsalted (or non-existant) hashes for passwords.

  4. Dan 55 Silver badge

    Odd how Oracle releases products that use both NSS and OpenSSL, supports NSS yet doesn't support OpenSSL.

    Nice to see Oracle putting patches out quickly, but supporting OpenSSL would have costed Larry less in the first place. To put it in language he understands, it probably wouldn't have costed more than a metre of yacht.

  5. Mr Flibble
    Holmes

    http://opensslrampage.org/

    http://www.libressl.org/

  6. Charlie Clark Silver badge

    Solutionism

    Bitcoin and co. are examples of "solutionism": where technological solutions to non-technological problems are posed. Unsurprisingly, this is really popular with the tech invest lobby. Equally unsurprisingly, the solutions rarely solve the problems they are supposed to.

    1. Fatman

      Re: Solutionism

      Unsurprisingly, this is really popular with the tech invest lobby get rich quick crowd.

      FTFY!

  7. fearnothing

    Secunia only rates the vulnerability as 9 out of 10 because the bug does not give rise to a remote code execution vulnerability.

    So because it's a two step process - steal the admin's login credentials first - it's only moderately critical? Good to know.

    1. ragnar

      Perhaps the two-step nature of the process means it can't be fully automated?

      1. Michael Wojcik Silver badge

        Perhaps the two-step nature of the process means it can't be fully automated?

        I believe there are plenty of Heartbleed-based exploits that can be fully automated.

        I've already pointed out in other Reg forums that identifying the server's private key can be fully automated. Once you have that, you could mount an active MITM attack (using e.g. DNS poisoning or phishing), or decrypt traffic you passively record, if you're in a position to do that. I don't see any reason why those can't be automated as well.

This topic is closed for new posts.

Other stories you might like