Heartbleed update: more than 300,000 web servers are still vulnerable: SSO Alert Priority High
30 June 2014
A vulnerability that allows attackers to steal confidential data from web servers, called Heartbleed, still affects more than 300,000 websites, according to a security researcher tracking the issue.
If you run a website or other online service, you should check whether your website is affected by the Heartbleed vulnerability. If your website is affected, you should update the OpenSSL software on your website’s server to fix the vulnerability.
Users of services and websites do not need to check websites for the vulnerability, but if you are interested or concerned, you should check with website operators to determine whether it is affected. Many website operators have posted information discussing the vulnerability and whether they were affected.
Affected services with user security or privacy requirements should also ensure users change their passwords, as it is possible that data may have been compromised via this vulnerability. Examples would include email service providers and websites storing personal or credit card details.
About the Heartbleed vulnerability
The Heartbleed vulnerability uses a flaw in software designed to secure a connection to the website. The particular piece of software affected is called ‘OpenSSL’ and may be present on a number of different types of web servers, even if you did not explicitly install it.
The flaw allows an attacker to retrieve a piece of memory from the server, including parts of the memory that store passwords and other data.
An attacker utilising the flaw repeatedly could find critical data that is stored on the server, including passwords, decrypted files and other private information. This level of data leakage has been confirmed in tests performed by security researchers.
Stay Smart Online advised about the Heartbleed vulnerability when the flaw was first discovered.
How to check if your website is vulnerable
The Heartbleed vulnerability has been fixed in recent versions of OpenSSL. Therefore, if you have already conducted a check and fixed the issue, you do not need to do anything further.
For website operators that have not yet tested their website, you can perform a simple test to see if your website is vulnerable at this page. Other online services can also be tested in the same way by specifying the exact URL of the service.
If your website is vulnerable, you need to update OpenSSL on affected systems. The method for updating depends on your operating system and configuration. Seek technical assistance if you are unsure of the procedure for updating software on your website.
The Heartbleed vulnerability was introduced into version 1.0.1 of OpenSSL and was fixed in version 1.01g which was released on April 7th 2014. Versions from 1.0.1 to 1.0.1f are affected, with earlier versions unaffected.
Stay Smart Online provided further details on Heartbleed in an earlier alert and more information is available at Heartbleed.com, including technical information.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.