Son of Heartbleed poses a major new threat to the internet

OptionsBleed is the name of a new major vulnerability which potentially threatens to expose data from servers in a similar sort of way that Heartbleed did a few years back.

If you recall, Heartbleed was the critical bug which made headlines in 2014, a vulnerability in OpenSSL which could be exploited to (relatively) easily pilfer data from a server (including the likes of security keys, usernames and passwords, and other sensitive details).

OptionsBleed is different in that it’s a bug in the Apache Web Server (as opposed to OpenSSL) leveraged by making HTTP OPTIONS requests (hence the name) in order to potentially cause data leakage as Heartbleed did.

The problem was first uncovered by security researcher Hanno Böck, but the good news is it’s far less widespread and serious than Heartbleed was.

As security firm Sophos reports, Böck’s testing found 466 incidents of OptionsBleed leakage from a million web servers, and given that around 40% of those would likely be running Apache, that means the bug was only triggered in 0.12% of vulnerable systems.

Deliberate provocation

Still, we shouldn’t underestimate the potential havoc that OptionsBleed could wreak, particularly now that knowledge of it has become widespread.

As Sophos observes: “It’s important to remember that on a server that’s hosting many different domains for many virtual hosts in many different directory trees, one malevolent customer could provoke this bug by deliberately setting an invalid option in their own .htaccess, and then repeatedly visiting one of their own URLs to see what data might leak out.”

A patch for the vulnerability is available from the Apache source code servers, but we’ve heard no official word from Apache on this matter yet, and it’s uncertain whether this fix is the best route to take – as you’ll need to apply the patch manually. Hopefully we’ll get an official security update from Apache before long.