wonderfully unique software solutions

Old bugs die hard so look out for ‘old’ vulnerabilities, warns Acunetix

The Heartbleed bug that emerged in 2012 was fixed years ago, right? Wrong, says Tomasz Andrzej Nidecki, Acunetix technical writer.

In fact, Heartbleed is a great example of the ongoing difficulty in keeping widely distributed software patched and up to date when it comes to security threats and vulnerabilities, Nidecki notes, writing in the Acunetix Web Security Zone blog.

Many might think Heartbleed would no longer be found in production systems years after the key fixes were issued, he says, pointing to a report on Shodan that suggests otherwise.

And this is why security scanning must be paired with vulnerability management to guarantee IT security, whether it’s in the case of network security or web security.

“Many IoT devices use OpenSSL for TLS handling and such devices introduced between 2012 and 2014 would be vulnerable to Heartbleed. Some of them may not have firmware updates at all and in the case of others, the owners of the devices might choose not to do such updates,” says Nidecki.

Old bugs persist for various reasons, such as continued use of vulnerable software. This can happen when vulnerable software has been customised – for example by modifying the OpenSSL library. Direct patches may not be possible, which means a company must add their custom code into the new version of the library.

“This is often why web open-source software such as WordPress is not immediately updated by companies even if critical new bugs are found,” he explains.

Small companies might not even be aware that the software that they use needs a security update. Some don’t even have anyone who administers their web server. Other companies may simply feel that defending against hackers is not worth the effort.

According to Nidecki, OpenSSL developers failed to build in a check on whether the size of the data specified in Heartbeat, an extension of the OpenSSL library, represents the actual amount of data. Like in a buffer overflow vulnerability, the attacker receives random memory content in return, which might include sensitive information such as SSL certificates, encryption keys or credit card numbers.

“In the original Heartbeat implementation, the client could declare any data size and the server would treat it as valid. The vulnerability appears if the declared size exceeds the real data size. In such a case, the server sends back the message with extra information,” confirms Nidecki.

“This bug and many others remain unfixed in so many systems.”

Recent Articles

N-able teams up with US cybersecurity agency on RMM tactics

Remote monitoring and management (RMM) software vendor N-able has announced it is working with the US Cybersecurity and Infrastructure Security Agency (CISA)...

Nitro with Level Access launches accessibility upgrade for PDF management

E-documentation company Nitro has teamed up with digital accessibility as a service provider Level Access on an accessible version of the former's...

CoreView expects further sales growth as Microsoft launches ‘disruptive’ tools

Microsoft 365 (M365) management software vendor CoreView is gearing up for greater demand, predicted to be fuelled further by AI adoption via...

Keeper Security expands global reach with new investments in zero-trust security

Keeper Security has opened an Asia-Pacific (APAC) headquarters in Japan, reflecting increased global interest and investment in unified, zero-trust enterprise passwords, secrets...

iSpring follows Salesforce integration with Albato no-code automation

Edtech software vendor iSpring Solutions has announced integration of the iSpring Learn learning management system (LMS) with no-code automation from Albato, expanding...

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Weirdware monthly - Get the latest news in your inbox