Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
<
[-]
Welcome To Rant Central
You have to register before you can post on our site.

Username:
  

Password:
  




Heartbleed bug
#1
The Heartbleed computer vulnerability is caused by the heartbeat command in some versions of OpenSSL returning far more data from the web server to the client than it should.
This can be exploited by a malicious user to get the web server to send large portions of its RAM content back to the user, including sensitive information such as user IDs, passwords, encryption keys and credit card numbers.

Only web sites that have the https protocol enabled and are using the v1.0.1 or v1.0.2-beta releases of OpenSSL are affected, including 1.0.1f and 1.0.2-beta1.
The Heartbleed vulnerability has been patched in OpenSSL v1.0.1g. It will also be patched in the forthcoming v1.0.2-beta2 release.
The OpenSSL software is a ubiquitous software component that is installed on an estimated 2/3 of all the web servers on the Internet.

From the OpenSSL.org web site:
Quote:CVE-2014-0160: 7th April 2014

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.

Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)

You can test if a https enabled web site that you use has the vulnerability by typing in its URL in the box provided on this web page:
http://filippo.io/Heartbleed/


Read more here:
What you need to know about Heartbleed
'Heartbleed' computer bug threat spreads to firewalls and beyond
Never underestimate the power of human stupidity.
- Robert A. Heinlein
Reply
#2
Researchers detected a vulnerable flaw by the name “Heartbleed” phishing scam in the most popular security encryption OpenSSL.
http://rankhive.com/security-risk-heartb...hing-scam/
Reply




Users browsing this thread: 1 Guest(s)