A critical vulnerability in the OpenSSL cryptography library has been discovered and later patched, with OS X Mavericks systems remaining unaffected by the flaw even before the patch got released.The Heartbleed bug is considered a serious vulnerability because it allows stealing information protected by the SSL/TLS encryption, which secures everything that moves across the web.
“SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs),” according to heartbleed.com. “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.”
Uncovered by a team of engineers at Codenomicon and Neel Mehta of Google Security, the flaw affected OpenSSL versions 1.0.1 through 1.0.1f, with the branches of versions 1.0.0 and 0.9.8 being unaffected. OS X Mavericks uses 0.9.8y, which is not affected by the bug.
Users can download OpenSSL 1.0.1g from Softpedia. Some operating systems and / or distributions have shipped with a potentially vulnerable OpenSSL version. These include Debian Wheezy (OpenSSL 1.0.1e-2+deb7u4), Ubuntu 12.04.4 LTS (OpenSSL 1.0.1-4ubuntu5.11), CentOS 6.5 (OpenSSL 1.0.1e-15), Fedora 18 (OpenSSL 1.0.1e-4), FreeBSD 10.0 (OpenSSL 1.0.1e 11 Feb 2013), and others.
Heartbleed.com explains that the bug is not like the widely-reported Apple go-to fail flaw, as “...this bug has left large amount of private keys and other secrets exposed to the Internet.”