The recent OpenSSL vulnerability CVE-2014-0160, or “Heartbleed” is affecting millions of SSL-enabled web servers worldwide; estimates are somewhere between 60% and 80% of servers are affected by the deadly bug. It’s the perfect example of a worst-case scenario: Heartbleed gives attackers the ability to reveal your server’s private SSL key by recovering just enough SSL key material.
We’re fortunate to announce that Thycotic has remained completely unaffected by this vulnerability, as our solutions are built on a Microsoft stack that doesn’t use any form of SSL technology. Our customers and partners can rest assured. However, it’s important to let others know what they can do to avoid an attack during this time.
While many tech news and media sites are advising consumers to rapidly change all web passwords that may have been affected by the Heartbleed bug, there’s still a risk for IT administrators, web admins and developers managing servers affected by the vulnerability. Question is… how do you prevent an attack while vulnerable?
Keep servers safe during Heartbleed
Website administrators were advised to patch their OpenSSL libraries on their servers to address the problem. But Heartbleed goes deeper than just patching OpenSSL. OpenSSL includes a general purpose API that software developers can use as part of their software. This is where static linking comes into play.
Static linking. Developers may choose to statically link to OpenSSL. Static linking allows developers to include OpenSSL within their software and it becomes embedded at compile time. Since the OpenSSL library is embedded in the software, upgrading the OpenSSL package on the operating system alone won’t update the OpenSSL version that software programs may have linked to statically.
Update all software, not just SSL. It is highly advisable that all software that makes use of OpenSSL technology be updated. Software vendors that statically link to OpenSSL should release updates for their software immediately by using a patched version of OpenSSL.
Keep clear, steady communications with customers. Make sure that as you’re updating systems and sending patches you’re also communicating these actions with your customers regularly. Consumers are rapidly changing web passwords and scrambling to protect their most valuable, personal data. Clear communications to your customer base (whether consumer or business) will help everyone stay on the same page and mitigate the most risk by using best practices during this time.