Am I affected by the heartBleed bug
April 13th, 2014 9:30 pm
CVE-2014-0160
YES. If you use SSL/TLS – which is in https, secure Instant messaging, secure email on other “secure” services online, then there is a better than 60% chance you are affected or have an account that was vulnerable.
What can you do about it?
Get informed. Here is a little information on what it is, what it affects and how to protect yourself and/or organization.
Why should you be concerned?
This weakness allows attackers to steal information you thought was protected. Â So things like bank, hospitals, and other critical resource may have been susceptible to the vulnerability for years.
As mentioned above, SSL/TLS provides security for banking, online shopping, instant messaging, email and other services. Â The heartbleed vulnerability allows anyone on the Internet to read the memory of the systems protected by vulnerable versions of OpenSSL. Â If someone can read the memory of the system, they can access the secret key used to identify the service providers, and to encrypt the traffic, the names and passwords of users.
More on HeartBleed:
Heartbleed is a major vulnerability in OpenSSL.  This vulnerability has been known since 2012 or 2011 by NSA and others.  The NSA used it as a method of infiltrating systems for spying (rather than notifying the good citizens of Earth).  The NSA is not winning friends lately.
What versions of OpenSSL are affected?
Users and service providers using OpenSSL 1.0.1 through 1.0.1f .
Who is Safe?
According to codenomicon‘s site http://heartbleed.com/
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
more on heartbleed:
In the news: http://abclocal.go.com/kgo/video?id=9498581
CVE-2014-0160