Technology vendors have moved to allay customers' concerns about the newly discovered Heartbleed flaw in the OpenSSL implementation of the transport layer security (TLS) protocol.
The security vulnerability was discovered by researchers with a Finnish company called Codenomicon and is believed to affect millions of web servers around the world
Though the US Computer Emergency Response Team (CERT) has published a list of all known affected companies, the full scale of the flaw remains unknown. Its potential for harm is significant as OpenSSL encryption is used by open-source web servers such as Apache and Nginx, which host 66 percent of all sites.
V3 has collected statements and guidance from key companies to help ascertain the full impact of the Heartbleed flaw.
"We added protections for Facebook's implementations of OpenSSL before this issue was publicly disclosed, and we haven't detected any signs of suspicious activity on people's accounts. We're continuing to monitor the situation closely."
Microsoft
"Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows' implementation of SSL/TLS was also not impacted."
"We've assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine."
Google also confirmed the vulnerability affects its Cloud SQL, Compute Engine, Search Appliance and Android services, but promised patches will arrive for them in the very near future.
The Android vulnerability oddly only affects the 4.1.1 Jelly Bean version. The Cloud SQL and Google Compute Engine fixes will be slightly more complex to fix and require separate actions from users.
As explained by Google: “We are currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances.
“[Google Compute Engine] customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library.”
Amazon
Amazon has warned customers that the vulnerability affects its Elastic Load Balancing, Amazon Elastic Compute Cloud (EC2), AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront services.
The Elastic Load Balancing components affected by the flaw have been updated, though Amazon recommended: “As an added precaution, we recommend that you rotate your SSL certificates using the information provided in the Elastic Load Balancing documentation.”
The firm also recommended: “Amazon EC2 customers using OpenSSL on their own Linux images should update their images in order to protect themselves from the Heartbleed bug.”
An update is available for AWS OpsWorks and it has already successfully mitigated the issue affecting its CloudFront service.
The company’s AWS Elastic Beanstalk is the only service that remains unfixed, though Amazon confirmed: “We are working with a small number of customers to assist them in updating their SSL-enabled single-instance environments that are affected by this bug.”
"On 7 April 2014 we were made aware of a critical vulnerability in OpenSSL (CVE-2014-0160), the security library that is widely used across the internet and at Twitter. We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation."
Read the rest of this post --->
0 comentarii:
Post a Comment