HeartBleed is probably the most devastating bug ever found, the very organization or company is making moves to mitigate its effect in any case. The bug which is solely not in the OpenSSL, a cryptography library, but in the way its being implemented, is capable of stealing X.509 certificates and stored credentials from a server.
Although the risk is still there, Google announced that they had patched bug at all of its services including Gmail and YouTube. Google in a blog post said, “You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine and Earth. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services.”
Google security team is also working to patch other services from the company, one of them is Cloud SQL. Google is currently fixing the service and in the coming days it would be up and running.
Google said, ” We are currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances.”
“HeartBleed”, which was discovered by a few security researchers, can allow an attacker to read and manipulate the data being transferred under an encrypted channel. Although the patch for it is already out, security researchers are asking everyone to change the password for every website they use. But changing the password would not be enough, one need to enable the two-way authentication — if available. In some cases an attacker can reset the password by providing the previous one.
Leave a Reply