Heartbleed Saga Continues: Highlights of Vulnerability's First 30 Days

By Sean Michael Kerner  |  Posted 2014-05-07

On April 7, the Heartbleed vulnerability, one of the most impactful security incidents of the last decade, was first publicly disclosed. Technically, the Heartbleed flaw is identified as CVE-2014-0160 and called "TLS heartbeat read overrun." It is found within the open-source OpenSSL cryptographic library, which provides Secure Sockets Layer (SSL) encryption capabilities for data in transit. OpenSSL is widely deployed on servers and embedded devices, which is one of the many reasons why Heartbleed has been able to wreak so much havoc. Heartbleed could potentially enable an attacker to read the memory from a vulnerable server, which could lead to data theft. Only Google and CloudFlare were made aware of the flaw before it was first publicly disclosed, while other vendors were left scrambling to rapidly issue patches to users. While patches were made available on most platforms within days of the initial advisory, users of some mobile apps have been left at risk. The flaw also triggered a shutdown of the Canada Revenue Agency (CRA) Website, which delayed the tax filing deadline for millions of Canadians. Security firm FireEye reported that one of its clients had been attacked with the Heartbleed vulnerability by way of a virtual private network (VPN) connection. In this slide show, eWEEK takes a look back at some of the key developments in the first 30 days of the Heartbleed vulnerability.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel