Experts at security Trend Micro are warning about a vulnerability called ?Heartbleed? that is contained in several versions of SSL, the technology that helps protect information on the Internet.
OpenSSL introduced an extension called Heartbeat around December 2011, with its 1.0.1 build release. This extension?s function was to help avoid reestablishing sessions and allow for a mechanism by which SSL sessions could be kept alive for longer.
OpenSSL is used by many websites and software, from open source servers such as Apache and nginx to email servers, chat servers, virtual private networks (VPNs), network appliances, and even mobile apps and OS.
Consequently, it is reasonable to assume that the Heartbeat extension is very widely used, thus making the scope of this vulnerability wide indeed.
The vulnerability, dubbed as the Heartbleed Bug, exists on all OpenSSL implementations that use the Heartbeat extension. When exploited on a vulnerable server, it can allow an attacker to read a portion ? up to 64 KB?s worth ? of the computer?s memory at a time, without leaving any traces.
?The Heartbleed vulnerability is a problem that affects SSL. You encounter SSL most likely when you shop online or enter sensitive information on a site and see the ?lock? that tells you your information is protected,? said TrendLabs security focus lead Paul Oliveria.
If this vulnerability is exploited, attackers can unravel websites? security, enabling them to monitor all communication between a user and a website, as well as decrypt any traffic they have collected previously from the website.
?This means that sensitive information like private keys, passwords, credit card information, or other personal information could have been exposed to others multiple times without your knowledge and consent,? Oliveria said.
At its core, the Heartbleed bug is a simple and usual programming error, which leads to security issues. In simplified terms, the user can ask for more data from the memory without checking to see if the user is authorized to see that information.
Given that this is a problem that websites have to manage themselves by updating their SSL, there are several steps that individuals can take to mitigate the effects of the Heartbleed vulnerability such as:
1. Make sure you are running up-to-date security software on all your systems.
2. Watch for suspicious activity of any kind, particularly on your online accounts and your financial accounts.
3. Change passwords promptly for sites (i.e. webmail account, online financial accounts) that recommend you to do so.