Linked by Thom Holwerda on Tue 8th Apr 2014 22:06 UTC
Privacy, Security, Encryption

Heartbleed, a long-undiscovered bug in cryptographic software called OpenSSL that secures Web communications, may have left roughly two-thirds of the Web vulnerable to eavesdropping for the past two years. Heartbleed isn't your garden-variety vulnerability, so here's a quick guide to what it is, why it's so serious, and what you can do to keep your data safe.

Serious.

Thread beginning with comment 586827
To view parent comment, click here.
To read all comments associated with this story, please click here.
oiaohm
Member since:
2009-05-30

http://technet.microsoft.com/en-us/security/bulletin/MS10-049

BallmerKnowsBest read your own link. It details a flaw that does not come from protocol alone. No matter how badly you implement SChannel you should not end up with means to do remote code execution. If you can execute code you can request particular pages of memory. Microsoft had buffer overflow into executable space if you left protocol back in 2010. Should not have been possible if NX extensions and memory allocation in cpu had been used correctly.

MS10-049 is in fact for means to collect data worse than the current OpenSSL flaw. Current openssl flaw you get random blocks of data not exact data requests. The SChannel flaw in windows back in 2010 also worked in reverse from client to server. Luckily there are not many MS Windows servers on the internet.

Yes on scale of SSL screwups in implementations the current OpenSSL is not the worst that has happened. Heck even the Microsoft SChannel flaw is not the worst.

Yes you are right its was a flaw in the TLS/SSL protocol but Microsoft implementation managed to handle it worse than everyone else. Insanely worse.

The problem here is every SSL implementation closed or open has been having major issues. Still there is no unified test suite to confirm that a implementation is to standard. You will have some idiots come out and say its because of lack of professional management... Reality its more lack of conformance testing. Like most web browsers should not be SSL conforming because they don't check if SSL certificates are revoked or not.

Reason why SSL works is more good luck than management.

Are we going to wake up now and demard good management. I don't think would be a good idea to attempt to hold by breath waiting.

Reply Parent Score: 1

BallmerKnowsBest Member since:
2008-06-02

http://technet.microsoft.com/en-us/security/bulletin/MS10-049

BallmerKnowsBest read your own link. It details a flaw that does not come from protocol alone.


Try following some of the links from that page, which would quickly lead you to this:

http://support.microsoft.com/kb/977377

This workaround provides system administrators a way to help protect all clients that connect to a server from exploitation by using the vulnerability described in security advisory 977377. The workaround achieves this by disabling TLS/SSL renegotiation. This is the component of the TLS/SSL protocol that is vulnerable to this issue.

(emphasis: mine)

Or you could read the 2nd link I posted, which detailed how vulnerability to the TLS renegotiation issue was by no means limited to Microsoft's software.

So yes, the UNDERLYING flaw came from flaws in the protocol itself - the problems with Microsoft's implementation made the problem worse, but they obviously weren't the sole/primary cause of the problem.

MS10-049 is in fact for means to collect data worse than the current OpenSSL flaw.


Yeahhhhhhh... [citation needed]. I'm guessing you missed this minor detail in the MS10-049 summary:

In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site.


As opposed to the current OpenSSL flaw, where your login credentials can be exposed simply by signing in to a vulnerable server.

And was there any evidence that the SChannel flaw was ever actually exploited "in the wild"? Because I've already seen some fairly dramatic demonstrations of Heartbleed - E.g. comments in an ArsTechnica thread from someone who was able to retrieve another user's credentials and then login & comment from their account:

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-open...
(the linked comment and the one directly after it are the relevant ones)

Current openssl flaw you get random blocks of data not exact data requests.


Oh, well I'm sure that be an immense comfort to any people whose online accounts are compromised because of this flaw...

Luckily there are not many MS Windows servers on the internet.


Hahahaha, yeah, only about... say, a third of all public-facing servers on the internet. Oh, and remind me: what was the estimate as to number of the servers on the internet that were vulnerable to Heartbleed? Something like two-thirds, wasn't it...?

To the extent that I can glean a point from your post, it seems like an attempt to deflect criticisms that no one has actually made. Before it, I haven't seen anyone try to ascribe the problem to the open source model as a whole (or anyone other than the OpenSSL developers directly responsible for it). Nor did I realize that the number & severity of SSL implementation flaws was the subject of a contest between open source and Microsoft/closed source.

If the shoe were on the other foot, I have no doubt that the usual FLOSS ideologues would immediately pounce on it as "proof" of the inferiority of Microsoft's software - if not the closed-source development model as a whole. Yet you usually don't see people making the same lazy conclusions in reverse, no matter how many times a lax approach to security in open source software development enables things like Darkleech or Heartbleed... not to mention the constant stream of recent problems caused by beginner-level security failures in open source web applications like WordPress, Joomla, Drupal, or Mailman (AKA "the backscatter spammer's best friend").

BUT, since you brought it up: if you really want to keep score, then it's pretty clear that Heartbleed has vaulted open source into the "lead" as far as SSL-related security failures go. As you alluded to earlier, Linux is more widely-used as a server OS - and now Linux & the open source community at large are starting to experience the inevitable downsides of population density/network effects (WRT security & malware) that Windows has been subjected to on the desktop for years.

Reply Parent Score: 3

oiaohm Member since:
2009-05-30

BallmerKnowsBest if you download metasploit you will find a demo of reverse back to webserver using MS10-049.

With MS10-049 we were lucky. Heartbleed not lucky. This is the thing with these flaws some we are lucky some we are not.

Interesting enough lots of Windows servers are behind Linux load balancers and filters. Some sites using Windows were got by Heartbleed because their Linux Balancer got hit yet those same Linux load balancers blocked other attacks. Why the load balancer is doing the ssl decode. Its way less than 1/3 of servers on the Internet that have Windows servers with internet facing ssl. You are looking at basically 90 percent Linux when you look at what is decoding ssl.

http://support.microsoft.com/kb/977377 and MS10-049 are two exploits. The fix for MS10-049 also contains the fix for 977377.

Over all SSL falures have been broad spread.

There have been security failures in closed source frameworks to use instead of open source solutions like WordPress, Joomla, Drupal, or Mailman.

http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_i...
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress

Over all its simpler to get executable code into a Windows server to alter its function.

There are constant stream of bugs in closed and open source. Yes beginner level bugs are turning up in Microsoft products as well. I can pull in other.

Even this recent openssl bug on Linux still was not remote run what ever you like.

population density/network effects makes a weakness worse. But if Linux was having the same flaws as windows a lot we would be looking at disasters that make the recent openssl flaw look minor.

Reply Parent Score: 2