Out-Law News 1 min. read
09 Apr 2014, 2:39 pm
The 'Heartbleed' bug is a "programming mistake" that exists in some versions of encryption software developed by via the open source 'OpenSSL Project', according to researchers from Google and Finnish-based security testing business Codenomicon who first identified it.
An updated version of the encryption software that fixes the problem has been created and is available to install, according to an OpenSSL security advisory. The researchers said the vulnerability had to be "taken seriously".
"Bugs in single software or library come and go and are fixed by new versions," the researchers said on a website set up to warn about the potential effects of the Heartbleed bug. "However this bug has left large amount of private keys and other secrets exposed to the internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously."
"Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use," they added.
The researchers said that the vulnerability could have a widespread effect on the security of web traffic and that individuals are "likely to be affected either directly or indirectly".
"OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the internet," the researchers said. "Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL."
"Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services," it said.
The warning coincides with the UK government's release of new cyber security guidelines for businesses. Among the advice it has offered is a recommendation that businesses to implement software updates within 30 days of their release at the latest and 14 days at the latest when the software updates are security patches.