Skip to main content

Google ties Heartbleed tourniquet to most key services

Google Heartbleed
All clear for Google services

It's likely to be a long week for IT professionals dealing with the aftermath of Heartbleed, the OpenSSL security flaw discovered earlier this week - but team Google appears to have a good handle on it for now.

The Google Online Security Blog announced patches to many key Google services affected by Heartbleed, the security bug discovered April 7 that potentially allows for theft of data typically protected by SSL/TLS encryption.

"We've assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected," explained Google Product Manager Matthew O'Connor in the post.

The company's security experts are still working to patch "some other Google services" affected by CVE-2014-0160, the official name for the OpenSSL flaw which has been dubbed "Heartbleed."

Android immunity

Google's security team also made it clear that the Android operating system is largely immune to Heartbleed, with the exception of Android 4.1.1, although the company is already distributing a patch to partners for that version.

Google Cloud Platform and Google Search Appliance customers are also having Heartbleed purged from their services, with an update on the latter expected to arrive within 24 hours for enterprise customers.

Security engineers are also currently busy patching Cloud SQL, with fixes expected to roll out today and tomorrow; in the meantime, Google has posted instructions on how to whitelist IP addresses to prevent unknown hosts from accessing them.

Although many companies are encouraging users to reset their passwords, security experts recommend waiting until fixes are in place to eradicate the Heartbleed flaw. The status of any domain name can be checked absolutely free from the Qualys SSL Labs website.