I notice you're letting Apple off the hook for this one.
Fixing OpenSSL's Heartbleed flaw will take MONTHS, warns Secunia
Expunging the Heartbleed bug from vulnerable computers and gadgets is likely to take months, according to a leading vuln research firm. The cautionary assessment by Secunia comes as more and more products are judged to be vulnerable to the infamous OpenSSL security flaw. Heartbleed most obviously affected secure web servers …
-
Tuesday 22nd April 2014 10:12 GMT Anonymous Coward
It will never be eradicated. So many routers etc are deployed (with web-front ends for management) that user's can't update and ISPs can't be arsed to update. Then various embedded systems.
Perhaps these companies basing the multi-billion dollar products should band together and pay the OpenSSL team more than the derisory combined total of US$2k pa they have been.
-
Tuesday 22nd April 2014 11:30 GMT vagabondo
scaremongering
Although serious, this particular bug was only in the OpenSSL repository for a little over a year. So for appliances, such as managed routers only those designed in that time will be vulnerable. And how many of them will have port 443 open to the world. If vulnerable routers have been distributed by e.g. ISPs, they should know their customers, and be able to issue upgrade notices.
Few heavyweight servers will be affected as they tend to use long-term stable versions of crucial software. Machines that are kept at cutting edge or actively managed will have received security patches within a day or two of the disclosure/announcement.
There may be problems with some Android based phones if the vendors choose not to push updates.
We need some perspective here.
-
Tuesday 22nd April 2014 13:15 GMT Pascal Monett
"Machines that are kept at cutting edge or actively managed will have received security patches within a day or two of the disclosure/announcement."
Really ? I'm sure that actively managed machines will have been patched quicker than others, but I'm also pretty much convinced that patching schedules tend to not be on the top of the urgency pile most of the time - until the waste product encours the rotating propulsion system, that is.
Now that it has happened, all high-profile web sites are on the ball, no doubt, but I'm certain that we'll be hearing about this bug for as long as we've heard about unsalted (or non-existant) hashes for passwords.
-
-
Tuesday 22nd April 2014 13:20 GMT Dan 55
Odd how Oracle releases products that use both NSS and OpenSSL, supports NSS yet doesn't support OpenSSL.
Nice to see Oracle putting patches out quickly, but supporting OpenSSL would have costed Larry less in the first place. To put it in language he understands, it probably wouldn't have costed more than a metre of yacht.
-
-
-
Wednesday 23rd April 2014 18:12 GMT Michael Wojcik
Perhaps the two-step nature of the process means it can't be fully automated?
I believe there are plenty of Heartbleed-based exploits that can be fully automated.
I've already pointed out in other Reg forums that identifying the server's private key can be fully automated. Once you have that, you could mount an active MITM attack (using e.g. DNS poisoning or phishing), or decrypt traffic you passively record, if you're in a position to do that. I don't see any reason why those can't be automated as well.
-
-