Code & Data Security
The Heartbleed vulnerability (http://www.heartbleed.com, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160, or the OpenSSL advisory athttps://www.openssl.org/news/secadv_20140407.txt) allows remote attackers to retrieve chunks of memory from servers using OpenSSL versions 1.0.1 prior to 1.0.1g. The information retrieved from the server memory could contain user passwords, encryption keys and other sensitive data. The vulnerability has been identified by security researchers from Codenomicon and Google Security. It is possible that it has been in the wild for months before being made public on April 7th 2014. Heartbleed is considered to be one of the most serious internet vulnerabilities ever identified, and affects nearly all systems that utilize the vulnerable OpenSSL packages.
Among websites who were published as vulnerable are Tumblr, Yahoo Mail, Google Mail, Amazon Web Services and others (lists of websites possibly affected are available herehttps://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt). Many of these have already upgraded their systems and asked their customers to reset their passwords. It is best to wait until the website has been protected from Heartbleed before changing your password.
Quotium delivers the best level of protection and security testing to its customers and believes that in the rapidly evolving online threat landscape, organizations must always be up-to-date on the latest attacks. Quotium’s Seeker, the automatic agile software security testing solution, now tests whether an application is susceptible to Heartbleed attacks. Our customers are urged to upgrade their Seeker software to this recent version.
The best way however to ensure your applications are not vulnerable is by upgrading the OpenSSL package version to 1.0.1.g, and after that revoking and reissuing certificates. Your users may need to be advised to change their passwords if the application was running a vulnerable version.
This post is also available in: French