Friday, June 6, 2014

Heartbleed Bug Part 3.
OR: More OpenSSL Shoes Keep Dropping
And They Hurt!

--

[Updated June 7th at ~10:45 am, thanks to assistance from my colleague Al Varnell.]

I've been delaying writing up another sequel in my Heartbleed Bug series of articles. Today's revelations kicked me back into gear. This is insane and soooo disappointing:

Stop. Put down the cup. Six new bugs found in OpenSSL – including a hole for snoopers
On a scale of 1 to Heartbleed, this is a 7

I could link to more professional reports of this new OpenSSL mess. But the subject deserves The Register's harsh *snark* treatment. (O_o)
OpenSSL today pushed out fixes for six security vulnerabilities – including a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems.
[Expletives Deleted], this is awful

Here is the list of security holes:

https://www.openssl.org/news/secadv_20140605.txt

The worst of these six holes, quoting The Registry:
A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software on apps or servers.
. . . .

An SSL/TLS MITM vulnerability (CVE-2014-0224, potentially affects all clients, and servers running 1.0.1 and 1.0.2-beta1) is arguably worse.
. . . . 
All OpenSSL users should be updating.
For Mac users, the ramification is that Apple has some patching to do! At this time, Apple uses OpenSSL v0.9.8y, which has the CVE-2014-0195 security hole. That's very bad. Apple has to patch: EVERY version of OS X, including 10.9.3. Hopefully, the upcoming 10.9.4 update will have either updated or entirely removed OpenSSL.

As of OS X 10.7.x, Apple deprecated OpenSSL in favor of Common Crypto. However, Apple still has OpenSSL v0.9.8y within OS X for occasions when Common Crypto is not suitable. My colleague Al Varnell left a comment below regarding why Apple still integrates OpenSSL:
My reading of why Apple provides openssl 0.98y is as a convenience to third party developers that rely on openssl for whatever reasons and that it never uses it for any OS X or Apple apps, so I don't know that they will be in any hurry to replace it.
Theoretically, Apple will release a new 2014 Security Update to solve their OpenSSL problems. Keep an eye out.

NOTE: There are also XWindows applications and services using OpenSSL. Therefore, if you have installed any X11/XQuartz/Fink/MacPorts stuff, UPDATE THEM NOW. You know what to do. (I don't cover XWindows apps in this blog as it is beyond the scope of my intended audience).

Update: Al Varnell notes:
I did check early yesterday morning and MacPorts had already updated their version to 1.0.1h which is the newly recommended version to fix all currently known issues. That might be one quick way of reducing risk. 
~ ~ ~ ~ ~

Meanwhile, back to the Heartbleed Bug:

Several resources have been made available to help Mac users sort out:

A) What websites are still unpatched.
B) What websites are/were affected.
C) What websites require users to create a new password due to the bug.

My colleague Josh Long has put together an excellent list of Heartbleed Bug affected and unaffected websites. Save it to your desktop and refer to it as you surf the net. Or go through the list of websites you log into and check whether you must change your password there or not:

Heartbleed Affected More Sites Than You Realized
Given the enormity of this list, I strongly recommend that you search within this page for any sites you use, rather than trying to look through it alphabetically. Please note that there are several sections. Be sure to especially look at the first two sections; if you use any sites listed in those sections, you'll want to change your passwords for those sites (and anywhere else you may have shared the same password) as soon as possible.
Josh provides the following sections in his Heartbleed list:
  • Change Passwords NOW
  • Change Passwords NOW (but make sure you do it while connected to a trusted network) [IOW: Not while on an open Wi-Fi hub]
  • Unknown/Ambiguous
  • Known Safe - No Password Change Needed (according to the company and/or third-party tests)
  • Further Notes and Explanations
  • Other Lists of Current/Past Allegedly Affected Sites
  • Test Pages - How to Check Whether a Site Is/Was Vulnerable
Another tool I've found is the Chromebleed add-on for the Chromium series of browsers:

https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

If readers find other such tools, please let us know in the comments! Thanks.

:-Derek
--



1 comment:

  1. My reading of why Apple provides openssl 0.98y is as a convenience to third party developers that rely on openssl for whatever reasons and that it never uses it for any OS X or Apple apps, so I don't know that they will be in any hurry to replace it.

    I did check early yesterday morning and MacPorts had already updated their version to 1.0.1h which is the newly recommended version to fix all currently known issues. That might be one quick way of reducing risk.

    ReplyDelete