By "Kunal Vohra", Director@H2K
Heartbleed has left a worst impression worldwide affecting millions of websites and is also supposed to put millions of Smartphones and tablets users at a great risk.
Heartbleed is a critical bug (CVE-2014-0160) in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL's implementation of the TLS/DTLS heartbeat extension, which allows attackers to read portions of the affected server’s memory, potentially revealing users data such as usernames, passwords, and credit card numbers, that the server did not intend to reveal.
OpenSSL is a widely-used cryptographic library which implements the SSL and TLS protocol and protects communications on the Internet, and mostly every websites use either SSL or TLS, even the Apache web server that powers almost half of the websites over internet utilizes OpenSSL.
But to assume that the users using desktop browsers to visit websites are vulnerable to the Heartbleed bug, will be wrong. Despite 40-60 billion active Smartphone applications may be sharing some of those same servers or connect to their own group of servers that may also be compromised.
ANDROID [STATUS: NOW PATCHED]
Google wrote in an update on its Online Security blog on Wednesday, emphasizing that Android was not vulnerable to the Heartbleed bug, except for a very specific version and can you guess that so called specific version??
Android 4.1.1 Jelly Bean, the one which makes up the majority of Android devices around the world, and which relies on the vulnerable version of OpenSSL.
Google didn’t reveal the actual figure that are vulnerable to the bug, but according to the latest dashboard released by Google, it is estimated that around 34.4% of the Android devices in use today are running the Android 4.1.x version.
Even last September Google announced that it had activated one billion devices. This means that the minimal number is likely to be in the millions. So, one can imagine how many Smartphones and tablets were at risk.
Well, Google has released the patches for Android 4.1.1 which is being distributed among the Android partners.
APPLE [STATUS: NOT AFFECTED]
Apple users can be relaxed knowing that their devices running iOS and OS X are not affected by the most critical security flaw, Heartbleed.
"Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key web-based services were not affected," Apple told Re/code.
Instead using OpenSSL, Apple relies on different SSL/TLS libraries called Secure Transport, which was hit by its own very serious bug in February outcropping the possibility for man-in-the-middle (MitM) attacks— though it wasn't as dangerous as the recent OpenSSL Heartbleed security Flaw.
But still Apple users were not exempted completely, as the users using BBM for private messages on iOS might have been vulnerable to this flaw.
BLACKBERRY [STATUS: VULNERABLE]
Blackberry confirmed that some of its products, including Secure Work Space for iOS and Android, and BlackBerry Link for Windows and Mac OS and even BBM for iOS and Android were vulnerable to the Heartbleed security flaw. The figure of affected users is not least, as about 80 million people use BBM service.
They have also assured that BlackBerry Smartphones and tablets, BlackBerry Enterprise Server 5, BlackBerry Enterprise Service 10, and the BlackBerry Infrastructure are not affected by the flaw and are fully protected.
No comments:
Post a Comment