Heartbleed Bug: The Latest AlertsInsights on Risks to Mobile Apps, Network Security Products
Mobile applications can be as vulnerable to the Heartbleed bug as websites, warns security vendor Trend Micro. And ICSA Labs stresses that organizations need to review network security products that may also be compromised.
Meanwhile, other technology firms are providing updates on their actions in the wake of the Heartbleed bug, which exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).
For example, IT hosting company Rackspace is helping clients patch systems, while application performance and Web security firm Akamai and online currency Bitcoin have announced mitigation steps.
The company scanned about 390,000 apps from the Google Play app store and found 1,300 apps were connected to vulnerable servers. "Among them are 15 bank-related apps, 39 online payment-related and 10 online shopping related," Trend Micro says. Also vulnerable, the company says, are "several popular apps that many users would use on a daily basis, like instant messaging apps, healthcare apps, keyboard input apps - and most concerning, even mobile payment apps."
The company is urging app users to refrain from conducting in-app purchases or other financial transactions for a while until the app developers release patches that mitigate the vulnerability.
Ensuring Network Security
Third-party product assurance firm ICSA Labs, an independent division of Verizon, says organizations also need to be aware that certain network security products are vulnerable to the Heartbleed bug.
"To put this into perspective, any product that uses OpenSSL or one of its variants to create a secure connection is potentially at risk," says Brian Monkman, ICSA Labs' technology programs manager, in a blog. "This could mean, for example, a network firewall with an outward facing administrative interface that uses an HTTPS connection may be vulnerable, or a Web application firewall that has SSL termination functionality may also be vulnerable."
ICSA Labs is notifying all the vendors in its network security programs that it will be testing the certified versions of their in-market products to determine whether or not their products are currently vulnerable to Heartbleed. "Even vendors who assert their products are not vulnerable will be tested," Monkman says. "Our mantra is trust but verify."
Meanwhile Rackspace is working to patch the systems for all its customers who have servers that the vendor can access, unless the clients have specifically noted that they do not want their systems patched.
Once servers are updated, Rackspace recommends generating new keys for SSL certificates and having them re-issued. Additionally, organizations should reset critical passwords in Web applications and in the base operating system, says Major Hayden, the company's chief security architect.
Akamai Takes Action
Akamai is taking steps to mitigate Heartbleed vulnerability. "We, like all users of OpenSSL, could have exposed passwords or session cookies transiting our network from August 2012 through April 4, 2014," says Andy Ellis, the company's chief security officer, in a blog.
An independent researcher contacted Akamai over the weekend of April 12, following Ellis' statement, regarding defects in the software the company uses for memory allocation around SSL keys.
"In short: we had a bug," Ellis says in a second blog. "An RSA key has six critical values; our code would only attempt to protect three parts of the secret key, but does not protect three others. As a result, we have begun the process of rotating all customer SSL keys/certificates. Some of these certificates will quickly rotate; some require extra validation with the certificate authorities and may take longer."
Bitcoin Addresses Bug
Online currency Bitcoin is advising its users to upgrade to an updated version of its software, warning that the earlier version could lead to compromised wallets. A wallet allows for transactions with other Bitcoin users to occur.
Bitcoin.org says version 0.9.0 of the Bitcoin Core software contains a version of OpenSSL that's vulnerable to the Heartbleed bug. So it advises users to immediately upgrade to Bitcoin Core version 0.9.1.
Additionally, Android version 4.1.1 is vulnerable to Heartbleed, according to Bitcoin.org, which advises upgrading to at least Android 4.1.2. "If you are using Bitcoin Wallet on an Android phone, you should upgrade the [Bitcoin] app to at least version 3.45."