Heartbleed: Bug could affect firewalls, email, mobiles

11 April 2014
By Edd Gent
Mobile version
Share |
Cyber security experts say the scope of the Heartbleed bug may be larger than originally thought

Cyber security experts say the scope of the Heartbleed bug may be larger than originally thought

Firewalls, email systems and even mobile phones could be at risk from the Heartbleed bug, according to cyber security experts.

Previously the flaw in a widely used Web encryption program known as OpenSSL that surfaced late on Monday had been thought to only affect Web servers and developers rushed out patches to fix affected web servers when they disclosed the problem.

But experts are now warning that pieces of vulnerable OpenSSL code can be found elsewhere too, including in email servers, ordinary PCs, phones and even security products such as firewalls, prompting developers of those products to scramble to find out if they are vulnerable and patch them to keep their users safe.

"I am waiting for a patch," said Jeff Moss, a security adviser to the US Department of Homeland Security and founder of the Def Con hacking conference. Def Con's network uses an enterprise firewall from McAfee, which is owned by Intel's security division.

He said he was frustrated because people had figured out that his email and Web traffic is vulnerable and posted about it on the Internet, but he can't take steps to remedy the problem until Intel releases a patch.

"Everybody is going through the exact same thing I'm going through, if you are going through a vendor fix," he said.

In a blog posting Intel said: "We understand this is a difficult time for businesses as they scramble to update multiple products from multiple vendors in the coming weeks. The McAfee products that use affected versions of OpenSSL are vulnerable and need to be updated." It did not say when they would be released.

Security experts said the vulnerable code is also found in some widely used email server software, the online browser anonymising tool Tor and OpenVPN, as well as some online games and software that runs Internet-connected devices such as webcams and mobile phones.

Jeff Forristal, chief technology officer of Bluebox Security, said that version 4.1.1 of Google's Android operating system, known as Jelly Bean, is also vulnerable. Google officials declined comment on his finding.

Other security experts said that they would avoid using any device with the vulnerable software in it, but that it would take a lot of effort for a hacker to extract useful data from a vulnerable Android phone.

Companies and government agencies are now rushing to understand which products are vulnerable, then set priorities for fixing them. They are anxious because researchers have observed sophisticated hacking groups conducting scans of the Internet this week in search of vulnerable servers.

"Every security person is talking about this," said Chris Morales, practice manager with the cyber security services firm NSS Labs.

Cisco Systems, the world's biggest telecommunications equipment provider, said on its website that it is reviewing dozens of products to see if they are safe. It uncovered about a dozen that are vulnerable, including a TelePresence video conferencing server and a version of the IOS software for managing routers.

A company spokesman declined to comment on how those issues might affect users, saying Cisco would provide more information as it became available. Oracle has not posted such an advisory on its support site. Company spokeswoman Deborah Hellinger declined to comment on Heartbleed.

Microsoft, which runs a cloud computing and storage service, the Xbox platform and has hundreds of millions of Windows and Officer users, said in a statement that "a few services continue to be reviewed and updated with further protections." It did not identify them.

Officials with technology giants IBM and Hewlett-Packard could not be reached. EMC and Dell said they had no immediate comment.

Latest Issue

E&T cover image 1604

"Should the UK's engineers be in or out of Europe? The IET sets out its official position on the EU referendum this week - will you agree?"

->

E&T jobs

  • Solutions Engineer

    Bristol Water
    • United Kingdom
    • £41,000 - 49,000

    We serve a population of over one million people and all the associated businesses in an area of 1,000 square miles centered on Bristol.

    • Recruiter: Bristol Water

    Apply for this job

  • Senior Mechanical Engineer

    Bristol Water
    • United Kingdom
    • £41,000 - 49,000

    We serve a population of over one million people and all the associated businesses in an area of 1,000 square miles centered on Bristol.

    • Recruiter: Bristol Water

    Apply for this job

  • Software Renewals Manager

    BAE Systems
    • Preston, Lancashire, England
    • Negotiable

    Software Renewals Manager Would you like to work in a resourceful and developing role within IT Services? We currently have a vacancy for a Software Renewals Manager at our site in Preston Channel Way. As a Software Renewals Manager, you will be responsi

    • Recruiter: BAE Systems

    Apply for this job

  • Technical Manager

    Aggregate Industries
    • Hulland Ward, Ashbourne
    • Attractive salary plus comprehensive benefits

    A key Technical Manager role driving product improvement and compliance with Aggregate Industries, market leader in Construction Solutions.

    • Recruiter: Aggregate Industries

    Apply for this job

  • Field Application Engineer

    Intel
    • Madrid

    Responsible for giving product presentations to the customer describing how Intel products provide the optimum solution to their application.

    • Recruiter: Intel

    Apply for this job

  • Engineers and Scientists

    European Patent Office
    • Munich and The Hague
    • See job description

    We are looking for Engineers and scientists in various technical fields for our locations in Munich and The Hague.

    • Recruiter: European Patent Office

    Apply for this job

  • Director of Product Management

    EMS Recruitment Group
    • West Yorkshire
    • Circa £70,000 PA + car allowance, excellent benefits including lucrative bonus scheme

    Our client is the undoubted world leader in their field. A highly innovative and progressive specialist electro-mechanical product manufacturer....

    • Recruiter: EMS Recruitment Group

    Apply for this job

  • Electrical Engineer

    Premium job

    Scottish Prison Service
    • Edinburgh, City of Edinburgh
    • £40,654 to £48,579 plus annual supplement of £10,000

    Build Your Engineering Career. The Scottish Prison Service (SPS) is an Agency of the Scottish Government, working in partnership.....

    • Recruiter: Scottish Prison Service

    Apply for this job

  • Sales Electronics Engineer

    Premium job

    Precision Microdrives
    • London (Greater)
    • £25,000 - £30,000 starting salary, inclusive of on-target commissions.

    Precision Microdrives (PMD) is a fast growing technology company that designs, produces and trades miniature electro-mechanical mechanisms

    • Recruiter: Precision Microdrives

    Apply for this job

  • Installation and Commissioning Engineer

    Premium job

    Crest Solutions
    • Corby
    • Competitive

    You will be involved in installation, commissioning & servicing of printing and machine vision related solutions.

    • Recruiter: Crest Solutions

    Apply for this job

More jobs ▶

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T