News Web hit by OpenSSL 'Heartbleed' vulnerability

Discussion in 'Article Discussion' started by Gareth Halfacree, 8 Apr 2014.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    9,419
    Likes Received:
    307
  2. bigc90210

    bigc90210 Teh C

    Joined:
    7 Oct 2003
    Posts:
    1,183
    Likes Received:
    50
    This is the reason the minecraft login servers are down :/
     
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    9,419
    Likes Received:
    307
    Any company that doesn't take its vulnerable servers down until they're patched (yes, like you, Yahoo, you naughty little company you) is doing its customers a distinct disservice; I can't stress enough how serious this vulnerability is. We're talking the keys to the kingdom, here; total and unfettered (read-only, I'll grant you) access to the contents of RAM. The sysadmin in me is puckering up just thinking about it.
     
  4. bigc90210

    bigc90210 Teh C

    Joined:
    7 Oct 2003
    Posts:
    1,183
    Likes Received:
    50
    Absolutely agree, they've just announced on Twitter that the servers are coming back up now

    Sent from my GT-I9505 using Tapatalk
     
  5. Umbra

    Umbra New Member

    Joined:
    18 Nov 2013
    Posts:
    636
    Likes Received:
    17
    Would NSA/GCHQ tell anyone if they knew?
     
  6. mi1ez

    mi1ez Active Member

    Joined:
    11 Jun 2009
    Posts:
    1,374
    Likes Received:
    12
    Oh, wow.
     
  7. r3loaded

    r3loaded Well-Known Member

    Joined:
    25 Jul 2010
    Posts:
    1,095
    Likes Received:
    31
    Definitely not. It's impossible to know whether they knew about this bug beforehand, but at least we're lucky now that a security researcher discovered this one.
     
  8. will_123

    will_123 Small childs brain in a big body

    Joined:
    2 Feb 2011
    Posts:
    1,060
    Likes Received:
    15
    As im aware OpenBSD was not actually affected due to the way they have implemented memory allocation in BSD. Instead of leaking the memory it initiates a dump file or crash I think. In my very first job at NHS as a student sys admin my manager swore by BSD. Maybe he was right!

    Very interesting link below mail thread with openBSD founder replying.

    Mail Thread
     
  9. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    9,419
    Likes Received:
    307
    Sadly, if you re-read the link, you'll see that OpenBSD (and all other BSDs shipping affected OpenSSL variants) was affected. Basically, there is exploit mitigation in malloc which means that OpenSSL should crash instead of revealing its secrets; unfortunately, there's exploit mitigation mitigation in OpenSSL that means malloc doesn't get a look-in. (Basically, for performance reasons on one unnamed platform, a coder added internal caching to OpenSSL which bypasses malloc - meaning that the crash-instead-of-leaking feature never gets used, and the data is leaked instead.)
     
  10. will_123

    will_123 Small childs brain in a big body

    Joined:
    2 Feb 2011
    Posts:
    1,060
    Likes Received:
    15
    ah I misinterpreted it!

    Cheers.
     
  11. RTT

    RTT #parp

    Joined:
    12 Mar 2001
    Posts:
    14,105
    Likes Received:
    68
    What's crap is that it's widely understood and considered that OpenSSL is a bit of a mess - and the team who run it aren't exactly open to accepting any help. A choice quotes from a thread on r/programming:

    ... which is a shame, because while you probably wouldn't want any old joe submitting patches to such sensitive software, you absolutely could have less-qualified/trusted/whatever engineers start to unit test & fuzz-test the heck out of it
     

Share This Page