cancel
Showing results for 
Search instead for 
Did you mean: 
Silver VIP

Silly sysadmins ADDING Heartbleed to servers

'Heartbroken' admins add to problem of myriad unpatched boxen

 

At least 2500 website administrators have made their previously secure sites vulnerable to Heartbleed more than a month after the bug sent the world into a hacker-fearing frenzy.

Opera Software developer Yngve Pettersen discovered the bungle while probing for Heartbleed vulnerable systems in the weeks after the bug was disclosed on April 7.

 

Heartbleed was a widespread input validation security vulnerability affecting the heartbeat extension used in OpenSSL which allowed passwords, sensitive private keys and session cookies to be potentially stolen. The bug was patched on the day of disclosure.

 

With his TLS Prober tool in hand, Petterson pinged half a million separate servers of sites rated as popular by Alexa and found hapless admins had, presumably in a panic, updated their then-unaffected-or-possibly-new boxes to the latest offering and in doing so introduced the Heartbleed bug.

He found about 20 per cent of scanned vulnerable servers and 32 per cent of those running F5 BigIP servers were new to the Heartbleed club as administrators had introduced the vulnerability.

 

The number of BigIP boxes coming online had doubled in the last month he said, indicating a run of purchases.

"It is difficult to definitely say why this problem developed, but one possibility is that all the media attention led concerned system administrators into believing their system was unsecure [which] combined with administrative pressure and a need to 'do something' led them to upgrade an unaffected server to a newer but still buggy version ... not yet officially patched," he said, dubbing the new fail boxes "Heartbroken".

 

Full Article

 

1 REPLY
Community Expert Advisor

Re: Silly sysadmins ADDING Heartbleed to servers

Well..., these are quite staggering news Smiley Surprised

Thanks Petr!

Sr. Community Leader

Beta Tester



WEBROOT® SecureAnywhere™ Internet Security Complete Beta
macOS Sierra & Windows 10 Pro 64