A new security vulnerability dubbed 'heartbleed' has been found in OpenSSL - the cryptographic library used to secure Internet traffic. With OpenSSL being used by software such as Apache, which powers the majority of web servers - this has got a lot of people very worried.
The vulnerability identified by researchers working for Google and Codenomicon is reported to allow attackers to reveal 64kb of memory at a time on servers that are using the Heartbleed extension. This memory could contain all sorts of secure data including secret keys used to encrypt communication. Possession of this could allow attackers to read what should be encrypted data - this could be information as sensitive as user credentials or credit card information. As a result, this affects pretty much everyone that uses the Internet - a huge amount of the sites and services used online will be relying on OpenSSL to protect user privacy and data sent to them.
"We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication" Heartbleed.com
System administrators are now rushing to patch their servers with a fixed version of OpenSSL (1.0.1g) or by recompiling OpenSSL without the heartbleed extension that is causing the issue.
The vulnerability has actually been in systems since December 2011 and affects versions of OpenSSL from 1.0.1 through to 1.0.1f. If you want to check your server, security expert Filippo Valsorda put together a useful tool online.
In the short-term the immediate focus will be on patching all vulnerable servers as quickly as possible now that the cat's out of the bag. But when the dust settles a lot of questions will need answering; if the vulnerability has been in place since 2011, how can we can we have confidence in what systems and data haven't already been comprimised?
To read more on this bug you can find it fully documented on heartbleed.com.