Google fixes Heartbleed

If you've been online at some point in the last 36 hours, chances are you've heard of 'Heartbleed', a flaw in OpenSSL that has exposed data to theft on approximately 2/3 of servers in use around the globe over the past two years. It's not known how bad the damage may be, but the revelation of the vulnerability sent server teams around the world scrambling to patch their systems. Among them: Google. In a posting today on the Google Online Security Blog, Google revealed that they had patched OpenSSL vulnerabilities in a number of their services.

We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services.

While those services are now secured and Android was not affected to begin with, users of the Google Cloud Platform and Google Search Appliance will have to manually update their devices. Additionally, Android 4.1.1 is somehow vulnerable to the Heartbleed exploit, while earlier and later versions of Android are not. Google is distributing patching information to their Android partners so those on version 4.1.1 can get a fix, but if your device is still on that old of an Android version, we wouldn't cross our fingers for an update any time soon.

Source: Google Online Security Blog

 

Reader comments

Google updates back-end in light of Heartbleed vulnerability

20 Comments

On a side note, am I the only one experiencing issues with commenting? It says, "please log in to comment." I'm already logged in...

Nexus 5...enough said

I thought I read somewhere yesterday that Google, apple, Microsoft and few others were not affected by this

Posted via Android Central App using galaxy s4

Microsoft want affected because they use their own flavor of SSL. Almost the entire rest of the web does though. Pretty much anything using Apache and other open source platforms. I'm just waiting for the big announcement from Amazon that let's us know just how bad they got shafted.

Armadillo, the other white meat.

Anything that used the most recent version of OpenSSL (1.0.1 - 1.0.1f) was affected. None of my Solaris boxes were impacted because we are not running 1.0.1.

Funny!
Article stated " a flaw in OpenSSL that has exposed data to theft on approximately 2/3 of servers in use around the globe over the past two years."

...and now they fix it.

Posted via Android Central App

The bug has EXISTED in the code for over 2 years, that does not mean that it has been KNOWN or EXPLOITED for 2 years. It was only discovered last week, so that means it has only been known about for a few days, and that doesn't mean that it has actually been exploited yet.

Makes you wonder if NSA/GCHQ have known about this and exploited it.

Posted via Android Central App

So should we change our google passwords now?

Posted via Android Central App on nexus 7 (2nd gen)

Our Gmail password for example, I'm guessing your using Google 2 step authentication

Posted via Android Central App using galaxy s4

I've seen lots of articles calling for every user to change every password for every service ASAP. I feel that might be a *little* bit of an over-reaction. But I would change important ones that might cost you money (like your bank) and keep a close eye on the others for the time being and change the password immediately, if you see anything odd.

Chances are, nobody captured data in any significant amounts. The vulnerability allowed hackers to "look" into the server's memory (RAM) while the request/response was being processed. That means you were only vulnerable if you were actually using the server at the time that the hacker was "looking" (assuming one ever was).

Yes, it's a big security whole.

No, it's not the internet Armageddon.

Yes, it's good that it's being patched with all possible speed.

No, you don't need to start building a tin foil-lined concrete bunker inside your office.

I ran Lookout's app to see if I was affected. HTC One M7 running KitKat. It says my OpenSSL is affected but not enabled. Should I be worried?

Posted via Android Central App