Heartbleed Bug: The Latest Alerts

Insights on Risks to Mobile Apps, Network Security Products
Heartbleed Bug: The Latest Alerts

Mobile applications can be as vulnerable to the Heartbleed bug as websites, warns security vendor Trend Micro. And ICSA Labs stresses that organizations need to review network security products that may also be compromised.

See Also: How to Mitigate Credential Theft by Securing Active Directory

Meanwhile, other technology firms are providing updates on their actions in the wake of the Heartbleed bug, which exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).

For example, IT hosting company Rackspace is helping clients patch systems, while application performance and Web security firm Akamai and online currency Bitcoin have announced mitigation steps.

In a blog, Trend Micro states that mobile applications are just as vulnerable to the Heartbleed bug as websites "because apps often connect to servers and Web services to complete various functions."

The company scanned about 390,000 apps from the Google Play app store and found 1,300 apps were connected to vulnerable servers. "Among them are 15 bank-related apps, 39 online payment-related and 10 online shopping related," Trend Micro says. Also vulnerable, the company says, are "several popular apps that many users would use on a daily basis, like instant messaging apps, healthcare apps, keyboard input apps - and most concerning, even mobile payment apps."

The company is urging app users to refrain from conducting in-app purchases or other financial transactions for a while until the app developers release patches that mitigate the vulnerability.

Ensuring Network Security

Third-party product assurance firm ICSA Labs, an independent division of Verizon, says organizations also need to be aware that certain network security products are vulnerable to the Heartbleed bug.

"To put this into perspective, any product that uses OpenSSL or one of its variants to create a secure connection is potentially at risk," says Brian Monkman, ICSA Labs' technology programs manager, in a blog. "This could mean, for example, a network firewall with an outward facing administrative interface that uses an HTTPS connection may be vulnerable, or a Web application firewall that has SSL termination functionality may also be vulnerable."

ICSA Labs is notifying all the vendors in its network security programs that it will be testing the certified versions of their in-market products to determine whether or not their products are currently vulnerable to Heartbleed. "Even vendors who assert their products are not vulnerable will be tested," Monkman says. "Our mantra is trust but verify."

Patching Servers

Meanwhile Rackspace is working to patch the systems for all its customers who have servers that the vendor can access, unless the clients have specifically noted that they do not want their systems patched.

Once servers are updated, Rackspace recommends generating new keys for SSL certificates and having them re-issued. Additionally, organizations should reset critical passwords in Web applications and in the base operating system, says Major Hayden, the company's chief security architect.

Akamai Takes Action

Akamai is taking steps to mitigate Heartbleed vulnerability. "We, like all users of OpenSSL, could have exposed passwords or session cookies transiting our network from August 2012 through April 4, 2014," says Andy Ellis, the company's chief security officer, in a blog.

An independent researcher contacted Akamai over the weekend of April 12, following Ellis' statement, regarding defects in the software the company uses for memory allocation around SSL keys.

"In short: we had a bug," Ellis says in a second blog. "An RSA key has six critical values; our code would only attempt to protect three parts of the secret key, but does not protect three others. As a result, we have begun the process of rotating all customer SSL keys/certificates. Some of these certificates will quickly rotate; some require extra validation with the certificate authorities and may take longer."

Bitcoin Addresses Bug

Online currency Bitcoin is advising its users to upgrade to an updated version of its software, warning that the earlier version could lead to compromised wallets. A wallet allows for transactions with other Bitcoin users to occur.

Bitcoin.org says version 0.9.0 of the Bitcoin Core software contains a version of OpenSSL that's vulnerable to the Heartbleed bug. So it advises users to immediately upgrade to Bitcoin Core version 0.9.1.

Additionally, Android version 4.1.1 is vulnerable to Heartbleed, according to Bitcoin.org, which advises upgrading to at least Android 4.1.2. "If you are using Bitcoin Wallet on an Android phone, you should upgrade the [Bitcoin] app to at least version 3.45."


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network