'Heartbleed Bug' crawls past OpenSSL to impact servers

The Heartbleed Blug makes millions of servers vulnerable

A serious flaw has been uncovered in security software that is being used by millions of servers worldwide.

The flaw, dubbed the "Heartbleed Bug", affects OpenSSL and, if exploited, could expose the information of anyone visiting an affected website.

OpenSSL is a cryptographic software library that provides Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protection for communication applications over the Internet, such as the Web, email, instant messaging and some virtual private networks.

The issue was uncovered by researchers from Google and Codenomicon.

Attack on memory

Heartbleed leaves the memory of the systems protected by vulnerable versions of OpenSSL software open to viewing by attackers.

According to Codenomicon, attackers who access this memory are able to uncover, "the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content."

Anyone exploiting the Heartbleed Bug would be potentially be able to access security keys, usernames and passwords, instant messages, emails and business critical documents and communication.

Exploiting the flaw leaves no trace and so it is not clear whether attacks have taken place or how many may have taken place. The issue is particularly problematic as the flaw is present across a number of version of OpenSSL, not just one.

"Biggest threat"

The BBC reported Ken Munro, a security expert at Pen Test Partners, as saying, "It's the biggest thing I've seen in security since the discovery of SQL injection."

A fixed version of OpenSSL has been release and must be deployed in order to secure the software. Codenomicon advises that end-users of services that may have been affected should be notified.

Codenomicon has created a website that provides more information about the Heartbleed Bug.