Linked by Thom Holwerda on Tue 8th Apr 2014 22:06 UTC
Privacy, Security, Encryption

Heartbleed, a long-undiscovered bug in cryptographic software called OpenSSL that secures Web communications, may have left roughly two-thirds of the Web vulnerable to eavesdropping for the past two years. Heartbleed isn't your garden-variety vulnerability, so here's a quick guide to what it is, why it's so serious, and what you can do to keep your data safe.

Serious.

Permalink for comment 586974
To read all comments associated with this story, please click here.
oiaohm
Member since:
2009-05-30

BallmerKnowsBest if you download metasploit you will find a demo of reverse back to webserver using MS10-049.

With MS10-049 we were lucky. Heartbleed not lucky. This is the thing with these flaws some we are lucky some we are not.

Interesting enough lots of Windows servers are behind Linux load balancers and filters. Some sites using Windows were got by Heartbleed because their Linux Balancer got hit yet those same Linux load balancers blocked other attacks. Why the load balancer is doing the ssl decode. Its way less than 1/3 of servers on the Internet that have Windows servers with internet facing ssl. You are looking at basically 90 percent Linux when you look at what is decoding ssl.

http://support.microsoft.com/kb/977377 and MS10-049 are two exploits. The fix for MS10-049 also contains the fix for 977377.

Over all SSL falures have been broad spread.

There have been security failures in closed source frameworks to use instead of open source solutions like WordPress, Joomla, Drupal, or Mailman.

http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_i...
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress

Over all its simpler to get executable code into a Windows server to alter its function.

There are constant stream of bugs in closed and open source. Yes beginner level bugs are turning up in Microsoft products as well. I can pull in other.

Even this recent openssl bug on Linux still was not remote run what ever you like.

population density/network effects makes a weakness worse. But if Linux was having the same flaws as windows a lot we would be looking at disasters that make the recent openssl flaw look minor.

Reply Parent Score: 2