Researchers at the Finnish security company Codenomicon have detailed a critical security vulnerability in OpenSSL, which they're calling the Heartbleed bug (h/t Krebs On Security).

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software," the researchers write. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

In testing their own services from an attacker's perspective, the researchers write, "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."


The vulnerability, which is found in OpenSSL versions 1.0.1 through 1.0.1f, is patched in OpenSSL 1.0.1g.

In a security advisory published yesterday, the OpenSSL team stated, "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. ... Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS."

Photo courtesy of Shutterstock.