As the Heartbleed fallout continues, the good news is that code to fix the problem in OpenSSL has been released. The bad news is that exploit code is also available.
Let's start with the latter, released by a chap who took up Cloudlare's challenge to coders in the hope someone, somewhere, would be able to use Heartbleed to extract a private SSL key from an undefended server it erected.
Think about the ways your home is kept secure. You rely on structural security features—secure locks, a rock-hard foundation, strong windows and doors. You might also have an alarm or video camera to give you an extra layer of security, with a support team behind those tools making them more powerful, all but invisible until the moment you need them.
The OpenSSL flaw named Heartbleed is pretty huge. Many of us in the computer security industry are prone to hyperbole when a big exploit in a popular piece of software is announced, but I can't put it any better than Bruce Schneier did when he said, "On the scale of 1 to 10, this is an 11."
The Heartbleed Bug, a flaw in OpenSSL that would let attackers eavesdrop on Web, e-mail and some VPN communications, is a vulnerability that can be found not just in servers using it but also in network gear from Cisco and Juniper Networks. Both vendors say there's still a lot they are investigating about how Heartbleed impacts their products, and to expect updated advisories on a rolling basis.
Juniper detailed a long list in two advisories, one here and the other here. Cisco acted in similar fashion with its advisory.
Microsoft's demand that Windows 8.1 users install this week's major update was another signal that the company is very serious about forcing customers to adopt its faster release strategy, experts said today.
"Microsoft is going to drag organizations and users into this new world of faster updates kicking and screaming," said Michael Silver of Gartner in an email. "Microsoft wants users to trust it to keep their systems updated. Maybe they figure forcing organizations to deploy [Windows 8.1 Update] will get them used to taking updates and keeping current."