Heartbleed is a widespread security vulnerability that affects web servers, other types of servers, routers, other devices, email clients and other applications.
The Heartbleed bug was discovered only last week, and is being patched. However, patching this security flaw is taking a lot longer than anticipated.
Why is Heartbleed so dangerous?
The problem is a flaw in software known as OpenSSL. About two-thirds of all websites use OpenSSL to secure data that transits the Internet.
The extent of the problem will become more apparent in days and months to come, as hundreds of thousands of websites that rely on OpenSSL will need to repair their security / encryption. In the meanwhile, cyber thieves may obtain passwords and personal data from those websites before they are patched.
Who’s Affected, And Who’s Not?
Google, Facebook, DropBox and many other well-known sites have been patched, but there may be more than half a million websites that could still be vulnerable.
At the Canadian tax-collection agency, around 900 people had their private information compromised because of the Heartbleed bug. But this was just one of the many organisations around the world that were affected by the bug.
MarkGazit, CEO of ThetaRay recently provided this forecast on Heartbleed, “… while patching will offer some repair, the gloomy forecast is that Heartbleed will live on, well after patches are issued and applied. The bug is so far-reaching into internal networks, server communications, and products that were already shipped out to end users that it will take a very long time until it is completely fixed.” [Source: RedOrbit]
Note: Microsoft ISS-based websites, Microsoft servers and products are NOT affected by Heartbleed.
What Else Is Affected?
Apart from websites, Heartbleed also affects client software such as web clients, email clients, chat clients, FTP clients, mobile applications, VPN clients and software updaters.
In addition, it can affect proxy servers, media servers, game servers, database servers, chat servers and FTP servers. Finally, hardware devices are not immune to the vulnerability. It can affect routers and PBXes (business phone systems).
How Can I Mitigate The Impact
- Change your password on Gmail, Facebook, DropBox and any other websites you use that announce they have patched their website for Heartbleed.
- Experts have predicted that patches and fixes around the Internet may take 12 months or more to complete, so continue to update your password on other websites, as and when they apply patches and fixes for Heartbleed.
- Ask your IT provider whether your business-critical data or applications use websites, servers, routers or other devices that could be affected by Heartbleed. If so, request them to contact the vendor for a security patch, if available.
- Ensure that your IT provider keeps your business computers and servers secured, patched and updated 24 x 7 x 365.