It’s been just over 48 hours after the disclosure of the news about the Heartbleed vulnerability, the serious flaw which affect OpenSSL library that allows an attacker to reveal up to 64kB of memory to a connected client or server.
There are many assumptions made in these days, the bug is the result of a programming error or has been intentionally introduced? And by whom? As usual happen in these cases, security experts try to evaluate the impact of the vulnerability.
The Heartbleed bug is probably the biggest security threats in the story of the Internet, it affected many popular websites and web services including Facebook and Gmail, but the disconcerting truth is that the flaw could have exposed users’ sensitive account information over the past two years. Another aspect to consider is that probably Governments, just after the disclosure of Heartbleed vulnerability, immediately started to exploit the flaw to collect these precious information.
“My guess is that when Heartbleed became public, the top 20 governments in the world started exploiting it immediately,” commented Bruce Schneier.
But I add that probably many of the 20 governments were already aware of the flaw with critic consequences.
A good starting point could be the evaluation of the Top Level Domain (TLD) names of the top 1,000,000 domains ranked by Alexa.
Experts at TrendMicro have analyzed all websites which use SSL distinguishing “vulnerable” from “safe”, nearly 5% are affected by the Heartbleed flaw (CVE-2014-0160) have extension .KR and .JP. It’s interesting to note that top five countries include .RU, .CN and GOV sites.
On the other hand, countries like France and India have a low number of vulnerable websites under FR and IN TLDs.
“We just think of a few theories why this is so. Maybe they haven’t updated to the version of OpenSSL, which was vulnerable. They could also have immediately patched vulnerable sites. Another possible reason is that these countries don’t use much machines with the most recent versions of Linux.” commented Maxim Goncharov, Senior Threat Researcher at TrendMicro
Web portal Ars Technica reported that MediaMonks of the Netherlands had evidence of exploit attempts going back to November 2013, the source IP addresses for those attacks belong to a botnet.
Net monitoring company Netcraft suggested that nearly 500,000 servers were vulnerable to the Heartbleed bug, I’m using the past verb because the situation is in continuous evolution.
“Our most recent SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings.” reports Netcraft.
In the above graph it is possible to note that just a small percentage of Microsoft web servers support the TLS heartbeat extension, as remarked by Netcraft Linux machines acting as reverse proxy front ends to Windows servers are most affected.
It is strongly suggested to revoke and replace certificates at risk of compromise, website administrators are invited to update OpenSSL.
To check if your HTTPS website might be vulnerable you can used the following form proposed by Netcraft.
Let me close with a list published by Mashable that contains the principal web companies and provide information for the update status of their platform suggesting users to change their password if needed.
(Security Affairs – OpenSSL, Heartbleed)