An OpenSSL vulnerability reported today has already been fixed on most Linux OSes

Apr 8, 2014 13:20 GMT  ·  By

Another day, another vulnerability that makes the Internet go crazy. Fortunately enough, if you are running a Linux operating system this problem has already been fixed by the time you read this.

From time to time, one of the many vulnerabilities that are reported on a daily basis surfaces and gets reported like it’s the end of the world as know it. The latest one to get this treatment is an OpenSSL vulnerability that made Internet users freak out.

It's true that on an imaginary scale of exploits and vulnerabilities this OpenSSL issue is probably rated higher, but the truth is that it’s not all that important. The problem is that not only simple users are affected by this vulnerability, but also a number of online services like Yahoo or Steam.

As far as vulnerabilities go, the one that we're talking about even got its own name, Heartbleed. It's a little dramatic, but it seems to have made the right impact. The name is actually a pun to the problem discovered in OpenSSL. This is what Canonical’s security reports say on the matter:

“Neel Mehta discovered that OpenSSL incorrectly handled memory in the TLS heartbeat extension. An attacker could use this issue to obtain up to 64k of memory contents from the client or server, possibly leading to the disclosure of private keys and other sensitive information. (CVE-2014-0160).”

“Yuval Yarom and Naomi Benger discovered that OpenSSL incorrectly handled timing during swap operations in the Montgomery ladder implementation. An attacker could use this issue to perform side-channel attacks and possibly recover ECDSA nonces. (CVE-2014-0076).”

Most of the vulnerabilities reported and fixed for the Linux systems are about some sort of exploit that could allow an attacker to do bad things. The funny thing is that the story about the “terrible” Heartbleed vulnerability broke today, but the problem has been fixed in most major Linux distributions since yesterday.

Canonical, for example, issued the security notification on April 7, but similar updates have been issued by Red Hat, Debian, Suse, Arch Linux, and so on. For the Linux operating system this was a non-event.

This is one of the reasons why Linux systems will always be the safest solution. Problems get patched right away and the patches arrive in the respective operating systems on the same day. It's hard to match this kind of efficiency on OSes other than Linux.