10 years ago

Oracle’s Race Against Heartbleed Vulnerability

Share in:
Share in:

For practical protection against the Heartbleed bug, you can check websites for vulnerability using dedicated Heartbleed checkers.

The Heartbleed Virus has wrought havoc around the world since its April 1, 2014 discovery. Also known by its official Common Vulnerabilities and Exposures number, CVE-2014-0160, it posed massive security issues for personal financial information, including private keys, passwords and cookies. Nearly 17 percent, or close to half a million secure servers on the web were rendered vulnerable to attack. This placed Heartbleed virus at “catastrophic” levels, considered to be the Internet’s worst vulnerability in terms of impact.

Characterized by a bleeding heart logo, experts say the bug went undetected for over two years, uncovering fears that hackers may have exploited this flaw long before its discovery.

How Heartbleed works

Heartbleed works by siphoning small amounts of data from the remote servers’ memory, estimated at 64kb each time. Combine these amounts of data, and you can retrieve crucial usernames, passwords, session IDs, Internet banking logs, encrypted keys, certificates and other sensitive information. Assuming a hacker is able to intercept this kind of traffic, they could continue spying on their victims remotely even after the Heartbleed virus has been patched.

In late April 2014, Oracle issued an announcement that 33 of its products may be vulnerable to the Heartbleed bug, and would most likely require a patch. Fortunately, its cloud services were declared to be Heartbleed-proof.

Oracle Database unhackable

Oracle Corp. CEO, Larry Ellison downplayed consumer fears saying that the Oracle database has never been hacked into by anyone in the last couple of decades. “”It’s so secure, there are people that complain.”

However, users of Oracle products will not be overly encouraged to learn that software products they may own, including those using OpenSSL cryptographic libraries, have been announced to be vulnerable. There is said to be another list under investigation, which includes the Sun Storage Common Array Manager and the fiber channel switches from Qlogic and Cisco, which are under the Oracle brand.

Recently, Oracle updated its users on the progress of its patch software development for Heartbleed. They also provided patches for Oracle Linux 6 and Solaris 11.2.

Oracle’s Global Product Security maintained that it continues to collaborate with the company’s product development teams for more updates on fixes for vulnerable products, as well as other products that may still be affected. They plan to announce future patches as they are released.

Expect more patches and fixes

End users dependent on Oracle products may find their hands full of patches, fixes and patchset updates in the next few months as the company races to reinforce batches of their susceptible software just to stay ahead in their battle against product vulnerability, and of course, its reputation.

For practical protection against the Heartbleed bug, you can check websites for vulnerability using dedicated Heartbleed checkers like LastPass and 1Password. Keep on the lookout for patch updates and test the website’s URL vulnerability before changing your username and password. Most experts recommend using strong alphanumeric passwords.

Finally, for users who feel their online privacy or anonymity has been compromised, it wouldn’t hurt cooling off the Internet for a while until vulnerable websites have been patched or have updated their OpenSSL versions.

Photo courtesy of theglobalpanorama.

Scroll to Top