OpenSSL bug CVE-2014-0160

If you’re using an older OpenSSL version, you’re safe.

via OpenSSL bug CVE-2014-0160 | The Tor Blog.

I find that statement quite interesting due to how many security experts tout keeping your software constantly updated without realizing sometimes updates can introduce exploit vectors.

From:  The Heartbleed Bug

What makes the Heartbleed Bug unique?

Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.

Am I affected by the bug?

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.

From: Exploits allow attackers to obtain private keys used to decrypt sensitive data.

They called on white-hat hackers to set up “honeypots” of vulnerable TLS servers designed to entrap attackers in an attempt to see if the bug is being actively exploited in the wild. The researchers have dubbed the vulnerability Heartbleed because the underlying bug resides in the OpenSSL implementation of the TLS heartbeat extension as described in RFC 6520 of the Internet Engineering Task Force.