Heartbleed Saga Continues: Highlights of Vulnerability’s First 30 Days

By Sean Michael Kerner

The OpenSSL Project first disclosed CVE-2014-0160 on April 7, noting that “a missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.”

Security vendor Codenomicon branded the CVE-2014-0160 vulnerability as “Heartbleed” and created the Heartbleed.com Website to provide information about the issue. Codenomicon is also credited alongside Google for discovering the flaw.

While most of the world was completely unaware of Heartbleed until April 7, cloud security vendor CloudFlare was given advance notice and was able to patch early.

The branding and disclosure of Heartbleed was the cause of some angst. “From my perspective, it really feels like this Finnish security firm [Codenomicon] played Heartbleed as a marketing and PR play in the name of security,” John Edgar, chief technology evangelist at DigitalOcean, told eWEEK. “That’s a shame and will likely encourage other people to do the same.”

The Canada Revenue Agency (CRA), which is the Canadian equivalent of the U.S Internal Revenue Service (IRS), was attacked with Heartbleed. The CRA delayed the tax filing for millions of Canadian as a result of Heartbleed from April 30 to May 5.

In connection with the Heartbleed attack against the CRA, the Royal Canadian Mounted Police arrested a 19-year-old student.

In addition to Web servers, VPNs are also at risk from Heartbleed. Security vendor FireEye’s Mandiant division disclosed that one of its clients had been attacked with Heartbleed to circumvent a VPN connection.

The Heartbleed flaw also impacts Android and has led to multiple firms releasing scanners to detect the issue. According to security firm FireEye, many of those scanners don’t work and up to 150 million Android app downloads are potentially at risk from Heartbleed.

On April 24, the Linux Foundation announced the Core Infrastructure Initiative, backed by VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco. The goal of the effort is to help fund developers working on OpenSSL and other critical Internet infrastructure projects.

One of the responses to Heartbleed came from the OpenBSD open-source operating system project, which decided to fork OpenSSL into the new LibreSSL project.

Although there was widespread media coverage of the Heartbleed vulnerability, a study from the Pew Research Center found that less than half of Internet users have actually taken steps to protect themselves.