Heartbleed Scare

Is what the media saying about Heartbleed true? This is what you need to know. It is not a virus; it is a bug in the code (called CVE-2014-0160). A very specific set of open source code called Open SSL (version 1.0.1) in use on some websites from March 2012 to April 7, 2014. The media is making a big deal about the Heartbleed bug. Their claims it affects 65% or more of the internet, is exaggeration. It affects a very specific set of code only in Open SSL. Many of the sites on the internet do not even use SSL. Some examples of affected sites: Facebook, Yahoo. Non-affected sites: Amazon store (not vulnerable) or LinkedIn (does not use SSL).

In fact, Heartbleed affected neither Windows Azure nor the Windows implementations of SSL/TLS (e.g. Microsoft Lync, Remote Desktop, websites hosted on Windows, etc.) People may criticize Microsoft for “Patch Tuesday” and not being an Open Source company, but they have one of the best security update strategies globally than any other company out there.

However, the Heartbleed bug is more complex than simply changing your passwords. It also means that previously issued certificates to sites (i.e. the lock icon on your screen to assure you that you are safe to enter your credit card) is also at risk. Affected sites will need new certificates issued. We will see a fundamental shift in how internet security works because of the inherent flaws in the certificate system. For more information on the bug, you can go here.

The decision to change all of your passwords is yours. *If you are changing your passwords* do not do it on a site that is still vulnerable or your efforts are wasted. To check, go here and enter the site’s web address. If it’s all clear, you may change your password on it. However, you should know that the site has more to do than just patch their Open SSL; they also need new certificates and perform testing to ensure that your data is no longer affected.