Heartbleed Saga Continues: Highlights of Vulnerability's First 30 Days
by Sean Michael Kerner
On April 7, the Heartbleed vulnerability, one of the most impactful security incidents of the last decade, was first publicly disclosed. Technically, the Heartbleed flaw is identified as CVE-2014-0160 and called "TLS heartbeat read overrun".
It is found within the open-source OpenSSL cryptographic library, which provides Secure Sockets Layer (SSL) encryption capabilities for data in transit. OpenSSL is widely deployed on servers and embedded devices, which is one of the many reasons why Heartbleed has been able to wreak so much havoc. Heartbleed could potentially enable an attacker to read the memory from a vulnerable server, which could lead to data theft. Only Google and CloudFlare were made aware of the flaw before it was first publicly disclosed, while other vendors were left scrambling to rapidly issue patches to users. While patches were made available on most platforms within days of the initial advisory, users of some mobile apps have been left at risk. The flaw also triggered a shutdown of the Canada Revenue Agency (CRA) Website, which delayed the tax filing deadline for millions of Canadians. Security firm FireEye reported that one of its clients had been attacked with the Heartbleed vulnerability by way of a virtual private network (VPN) connection. In this slide show, eWEEK takes a look back at some of the key developments in the first 30 days of the Heartbleed vulnerability.
Full Article
Heartbleed saga continues: highlights of vulnerability's first 30 Days
Userlevel 7
Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.