“Bleeding heart”vulnerability can lead to dense code disclosure-vulnerability warning-the black bar safety net

ID MYHACK58:62201673585
Type myhack58
Reporter 佚名
Modified 2016-04-13T00:00:00


! 1 0 December, the security personnel also discovered the Heartbleed vulnerability in the trail, the use of the vulnerability an attacker can obtain the password of the user and convincing the user to visit a forged website. myhack58 Encyclopedia The Heartbleed Vulnerability, CVE-2 0 1 4-0 1 6 0, the CNNVD-2 0 1 4 0 4-0 7 3, is OpenSSL the one major security vulnerability, 2 0 1 4 年 4 月 7, by foreign hackers exposure. The vulnerability can allow an attacker to get on the server 64K memory content data. Due to the use of the OpenSSL source code of the website a huge number, and therefore the vulnerability impact is very serious. OpenSSL is a powerful Secure Sockets Layer password database, to include major cryptographic algorithms, commonly used key and certificate package management functions and SSL Protocol, and provides a wealth of applications for testing or other purposes. Vulnerability details The vulnerability exists in OpenSSL, you can leak the server's memory content, which contains a large number of hosting data and other sensitive information such as usernames, passwords and credit card numbers, etc. In addition, the attacker can also copy a server's digital keys, and then fake the server or to decrypt communications. Security personnel RonaldPrins on the Yahoo Site test confirmed that the attacker can use the Heartbleed vulnerability to obtain a user name and password. Scott Galloway published tweets said, run for 5 minutes the Heartbleed code you can get 2 0 0 Yahoo mail username and password. Solutions Yahoo said it had in it on the main website to fix the vulnerability, including the Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr. In addition, its security team is the rest of the site to achieve the repair. However, Yahoo also did not provide users with the relevant security recommendations. Encryption technology consultant FilippoValsorda developed a tool, available to users in the site to detect the Heartbleed vulnerability. The current has been detected to Google, Microsoft, Twitter, Facebook, Dropbox and other mainstream sites not affected by the vulnerability, and there are some sites such as Imgur, And OKCupid, and Eventbrite, etc. affected by the vulnerability. According to the OpenSSL publishing the Bulletin, the vulnerability affects the OpenSSL 1.0. 1 version and 1. 0. 2-beta version, and have released 1. 0. 1 g version fixes the vulnerability. Network operators need to upgrade the software, and to withdraw may have been the attacker control of the certificate.