Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Inter

09 Apr 2014   #1

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 
Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Inter

Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet

Quote:
This afternoon, many of the net security people I know are freaking out. A very serious bug in OpenSSL — a cryptographic library that is used to secure a very, very large percentage of the Internet’s traffic — has just been discovered and publicly disclosed.

Even if you’ve never heard of OpenSSL, it’s probably a part of your life in one way or another — or, more likely, in many ways. The apps you use, the sites you visit; if they encrypt the data they send back and forth, there’s a good chance they use OpenSSL to do it. The Apache web server that powers something like 50% of the Internet’s web sites, for example, utilizes OpenSSL.

Through a bug that security researchers have dubbed “Heartbleed“, it seems that it’s possible to trick almost any system running any version of OpenSSL from the past 2 years into revealing chunks of data sitting in its system memory.
Source

A Guy


My System SpecsSystem Spec
.

09 Apr 2014   #2

Windows 7 Home Premium 64bit (Service Pack 1)
 
 

Yikes. Is there a way to find out which sites I should update my security details on, and when it will be safe to do so?
My System SpecsSystem Spec
09 Apr 2014   #3

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Ran a search https://www.google.com/search?q=http...-a&channel=rcs, and came up with this: OpenSSL Heartbeat Vulnerability Check (Heartbleed Checker)

Would it be what you're looking for?

More:
Quote:
OpenSSL Security Advisory [07 Apr 2014]
================================
TLS heartbeat read overrun (CVE-2014-0160)
================================

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g.

Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.

Source: https://www.openssl.org/news/secadv_20140407.txt
Be prepared to wait a bit, it took several tries and more than a few seconds to reach OpenSSL: https://www.openssl.org/
My System SpecsSystem Spec
.


09 Apr 2014   #4

Windows 7 64-bit, Windows 8.1 64-bit, OSX Maverick
 
 

The older versions of OpenSSL, still very much prevalent, are not vulnerable. Unfortunately, there's no way knowing which version a given site has in place. Nor it is know which sites had been exploited using this vulnerability during the last two years. Patching the server will remove the vulnerability; however, there's no way of knowing, if the private key of the SSL cert had been compromised. As such, without replacing the SSL cert, the sites that had been vulnerable to this exploit still should be considered compromised.

Getting the content of the memory in 64k chunks ain't no small vulnerability, that leaves no traces of getting it on the server, but... It's almost like finding a needle in the haystack. To put that into perspective, eight GB memory has about 134,000 64k chunks. Sifting through these chunks isn't a small task, even if it is scripted.

Since the private key of the SSL cert is cashed in the memory, the cert can be obtained. The attacker could use it masquerade the server with the faux SSL cert, useful for the MITM attack. On the surface, it seems that pulling off a MITB attack, that does not require any SSL keys, is easier to pull off.

The other use for the private key is for institutions, that have access to capturing the network traffic to a given site. For example, intelligent agencies that capture/monitor this traffic would have much easier time decrypting the content of the SSL traffic, than the traditional brute force method. They could view the traffic instantly, or live, if they so desire, and store it in plain text for later use.

Which brings up a question...

<tinfoil hat>
Was there any "contribution" to the OpenSSL version 1.0.1, the first vulnerable version, by any institutions?
</tinfoil hat>
My System SpecsSystem Spec
25 Apr 2014   #5

Windows 7 64 bit and Windows 7 Starter 32 bit
 
 

Hi. Sorry if this has been posted elsewhere but I can't seem to find it. My question is - do I need to change my password on this site please? (ie did/does it use openssl and if so was it patched and when?) Thanks!
My System SpecsSystem Spec
25 Apr 2014   #6

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

No problem, always glad to help.

There is a Sub-Forum in the Chillout Room called Site stuff where you can ask any question concerning anything about SevenForums.

Looking over there I found: Heartbleed: Are we affected It should allay your fears, and you would be okay to leave your password as is for this site (SevenForums).

~~~ ~~~~ ~~~

As a sidebar,
I notice you have Firefox listed in your System Specs. I have been running https://addons.mozilla.org/de/firefox/addon/foxbleed/ and https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker 3.0 With my Firefox 28.0 and they work well with it.
My System SpecsSystem Spec
25 Apr 2014   #7

Windows 7 64 bit and Windows 7 Starter 32 bit
 
 

Thanks very much! That is really helpful. I'll have a look at the add-ons.
My System SpecsSystem Spec
Reply

 Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Inter




Thread Tools



Similar help and support threads for2: Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Inter
Thread Forum
Security researcher says new malware can affect your BIOS Security News
Oracle Issues Massive Security Patch Security News
Microsoft and Oracle Prepare Massive Security Updates for Tuesday News
Huge security problem System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:24 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33