Google has patched some of its key user services in response to the Heartbleed security vulnerability, including updates to Search, Gmail, YouTube, Wallet, Google Play and App Engine, but some other services are still in the process of receiving patches.
The patch updates were announced by Matthew O’Connor, a Google product manager, in an April 9 post on the Google Online Security Blog.
“You may have heard of ‘Heartbleed,’ a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption,” wrote O’Connor. “We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this—and encourage others to report them—so that that we can fix software flaws before they are exploited.”
Android users are not affected by the vulnerability, known as CVE-2014-0160, unless they are using Android 4.1.1, wrote O’Connor. Patching information for Android 4.1.1 to fix its flaws is being distributed to Android partners, he added.
Other Google services are also affected, including Google Cloud SQL, Google Compute Engine and Google Search Appliances, wrote O’Connor.
“We are currently patching Cloud SQL, with the patch rolling out to all instances [April 9 and 10],” he wrote. “In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances. Please find instructions here.”
For Google Compute Engine, “Customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL,” he wrote. “Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find instructions here.”
An update for Google Search Appliance users will soon be on the way, he wrote. “Engineers are working on a patch. The GSA team is finalizing their analysis and will post an update for customers within 24 hours via the Google Enterprise Support Portal.”
The Heartbleed encryption vulnerability is perhaps the most serious Internet security flaw in recent memory, affecting hundreds of millions of people, according to an earlier eWEEK report. The Heartbleed flaw is found within OpenSSL, an open-source cryptographic library used for the Secure Sockets Layer (SSL), which is widely deployed on Linux servers and Internet infrastructure around the world.
On April 7, the original OpenSSL advisory was first issued, which did not refer to the flaw as “Heartbleed,” but rather as a “Heartbeat” flaw in OpenSSL. Heartbeat refers to the technical monitoring function that the feature provides within OpenSSL.
Another eWEEK report listed steps that can be taken by network administrators to protect their users from the vulnerability. The good news is that the OpenSSL Project issued a fix almost immediately and passed it out as an update to Linux distributors, the story reported. The bad news is that this vulnerability has been around for two years.
If the Heartbleed exploit was used against any site with which you connect, it means that at the very least you need to change your security credentials, including changing all of those passwords that you never could remember.
If your company is vulnerable, meaning you were running a Linux server or otherwise using OpenSSL, then companies should upgrade their OpenSSL library to version 1.0.1g and create a new private key, generate a certificate request and purchase a new certificate from their CA (certificate authority). The new keys must be installed for each Website supporting SSL/TLS (https: addresses), according to the report.