Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Heartbleeding Out: Internet Security Bug Even Worse Than First Believe


13 Apr 2014   #1

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 
Heartbleeding Out: Internet Security Bug Even Worse Than First Believe

Quote:
The Heartbleed Internet security bug is shaping up to be worse than researchers first realized, possibly compromising routers and other networking infrastructure for a variety of companies.

Cisco, one of the world’s top networking equipment manufacturers, confirmed Thursday that it’s investigating dozens of its routers and video teleconferencing devices and software for the Heartbleed vulnerability. Juniper Networks, another top networking company, has also alerted clients some of its equipment has been compromised by Heartbleed. A message posted to Juniper’s service website Friday said many of its systems would be offline through Saturday while the company performs maintenance.
Source

A Guy

My System SpecsSystem Spec
.

13 Apr 2014   #2

Microsoft Windows 7 Home Premium 64-bit Service Pack 1
 
 

Ummm ... Are generic modem-routers affected too? Because, that's what I use to connect the whole home network with!
My System SpecsSystem Spec
13 Apr 2014   #3

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

It's mostly enterprise routers it seems. Juniper and Cisco have lists

The Heartbleed bug is affecting routers, too

Heartbleed bug affects gadgets everywhere - Apr. 11, 2014

Quote:
Linksys posted a bulletin on their website stating: ” We are aware of the Heartbleed OpenSSL vulnerability, however after thorough testing of our product lines, we can confirm that our routers are not impacted. Linksys routers do use OpenSSL, however our product line uses another version that is not impacted by this vulnerability.”
Heartbleed Bug Is Also Affecting Routers

A Guy
My System SpecsSystem Spec
.


13 Apr 2014   #4

Windows 7 ultimate 64-bit
 
 

What about us normal residential users? Does it say its affecting those types of routers as well?
My System SpecsSystem Spec
13 Apr 2014   #5

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

As I posted above, those 3 manuf. are only ones listing so far. Most of those are enterprise. Doesn't mean our home devices are secure. A Guy
My System SpecsSystem Spec
15 Apr 2014   #6

Windows 7 64-bit, Windows 8.1 64-bit, OSX Maverick
 
 

The vulnerable version of OpenSSL was released about two years ego. Provided your router's firmware is older than two years and had not been updated, your router is not vulnerable to this bug. Regardless what the manufacturer/OEM might be...

Activating stealth mode for the router's external interface, a.k.a. block any request initiated from the outside to this interface, would be one of the mitigating measures that you can take if the router is vulnerable to this bug. At least until the updated firmware is available.
My System SpecsSystem Spec
18 Apr 2014   #7
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

I have just received this email from Norton.

Quote   Quote: Originally Posted by Norton
You’ve likely heard of Heartbleed over the past week. We wanted to share a bit about what it is, steps we have taken to protect our customers and steps you can take to protect yourself across the Web.

Some versions of Norton AntiVirus, Norton Internet Security and Norton 360 were impacted. On April 10th, we distributed updates to these impacted products to stop and block Heartbleed. Norton Accounts used to sign into Norton.com were not impacted. Please refer to our FAQ for more information on how we’re defending against this vulnerability.

Why Heartbleed affects everyone on the Internet

Heartbleed is a bug in some versions of OpenSSL, a set of software tools used widely across the Web for security. This bug may reveal your name, passwords and other private information.

If you visited a website that uses a vulnerable version of OpenSSL during the last two years, your personal information may be compromised. You can use this tool: http://safeweb.norton.com/heartbleed to check if a particular website is currently impacted.

How to protect yourself

Due of the complex nature of this vulnerability, changing your passwords before sites update their version of OpenSSL won’t fully protect you. Here are some simple steps you can take as a precaution:


•Change your passwords on any website that contains sensitive information about you. You should first confirm that the site does not contain the Heartbleed vulnerability by using this tool. •If you’ve reused passwords on multiple sites, it’s especially important to change them. To change your Norton Account password, visit manage.norton.com and click Account Information. •Beware of phishing emails and type website addresses directly in your browser instead of clicking on a link through an email. •Monitor your bank and credit card accounts for unusual activity.
It may take an extended period of time for all the sites affected by Heartbleed to fix this vulnerability. To determine if a website is vulnerable to Heartbleed using this tool. We recommend you only exchange personal or sensitive information such as your credit card number if the site is not affected by Heartbleed.

You can learn more about Heartbleed and its impact to consumers by checking out our FAQ or by following the Norton Protection Blog.

Stay Safe Online

Norton
My System SpecsSystem Spec
18 Apr 2014   #8

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Quote   Quote: Originally Posted by Britton30 View Post
I have just received this email from Norton.
I got the same eMail, was going to post it, as you did... about the same time you did, but after some research, I decided just to delete the msg.

If you roll over the links in the eMail, they all point to response.nortonfromsymantec.com - this concerned me. The other fishy thing was the domain checking (bad) in the msg header.

It took about an hour to fins that nortonfromsymantec.com is a URL Norton uses to market their product.
Norton support: Is this email that I received from Norton legitimate?

Lots of the same questions over on the norton boards : E-mail from Norton about Heartbleed legitimate? - Norton Community

Bugged the hell out of me since I can't recall the last time I used Norton or gave them my eMail address.

Now the logical thing to do would be to unsubscribe from Norton Marketing.... tried one time, but it requires a login - beats me what I used way back when. There are other means to unsubscribe (postMail, POTS, eMail, online contact).....the privacy policy is very looooong
Privacy | Symantec


Anyway, thanks for posting this, I'm still not 100% certain that it is legit.

Best practice - trash anything that smells funny and then take out the trash.

Bill
.
My System SpecsSystem Spec
18 Apr 2014   #9
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

It's all legit.
My System SpecsSystem Spec
18 Apr 2014   #10

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Quote   Quote: Originally Posted by heartbleed.com
Name:  heartbleed 85x103.png
Views: 20
Size:  3.7 KB The Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
more...

Quote   Quote: Originally Posted by openSSL.org
OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley of chromium.org and Bodo Moeller of acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

https://www.openssl.org/news/secadv_20140407.txt



You can check your home router using the Windows 7 Telnet client

Directions compliments of Austek (modified to fit your screen)

How to check the OpenSSL version.

1: Enable the telnet in firmware of your router

2: Enable the Telnet client in Windows 7
*Telnet is disabled by default in Windows 7. See: Windows 7: Enabling Telnet Client - TechNet Articles

3: Telnet into router
Elevated command Prompt
Telnet
open 192.168.1.1 (or your router address)
answer the login prompts
Enter the command
openssl version -a
4: close
the connection

5: quit
Telent

6: exit
Command Prompt

..........

The router I have returned an error on the openssl version -a command - a not found error I suppose.

More information from Asustek:
The vulnerable OpenSSL libraries are 1.0.1 through 1.0.1 f.

(1) Before last week, Asustek firmware used OpenSSL 1.0.0 b, in two-three weeks the firmware OpenSSL library will upgrade to 1.0.1 g (the g rls is the patched version)

(2) ASUS router use OpenSSL for HTTPS login and smart sync with asuswebsotage

(3) Refer to the Heartbleed Bug, and https://www.openssl.org/news/secadv_20140407.txt
(which is where I found the above info)

1.0.0 branch is NOT vulnerable
Name:  opensslLibs.jpg
Views: 58
Size:  32.8 KB
(Note: Emphasis and parenthetical notes are mine.)



There's not a whole lot we mere mortals can do about heartbleed.

When the servers and other affected equipment get updated or replaced - change your passwords, BUT don't use the same password everywhere.

Bill
.


My System SpecsSystem Spec
Reply

 Heartbleeding Out: Internet Security Bug Even Worse Than First Believe




Thread Tools



Similar help and support threads for2: Heartbleeding Out: Internet Security Bug Even Worse Than First Believe
Thread Forum
MS Security Essential and Kaspersky Internet Security 2014 System Security
Security of Java takes a dangerous turn for the worse, experts say Security News
Solved Outlook 2010 - Internet Security Warning - Security Certificate cannot Microsoft Office
AVG 9 Internet Security v Microsoft Security Essentials System Security
Norton Internet Security 2010 or Avast! Internet Security 2010 System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:47 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33