Heartbleed on Windows… eh oh.  Though your heart may go out to those losing support on Windows XP, it does not mean they are particularly vulnerable to Heartbleed.

What is Heartbleed?

Heartbleed on windows

 

First off, it is NOT a virus, it is flaw/coding error in OpenSSL he open-source encryption protocol used by many websites and other servers.  It’s used for things like websites where the HTTP: is changed to HTTPS: and you get a little security lock icon on many browsers to show this is a secure site.

This vulnerable version of OpenSSL  has been out for about 2 years.

What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

This bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

Can I know if a site was hacked?

This is what is so insidious about heartbleed is that it leaves no trace.  So a site could have been hacked and no trace would be left about it.

Is my Windows XP or other Windows desktop or server affected?

Probably not.  Though the Heartbleed was announced just after the end of support for windows XP, Microsoft does not use OpenSSL.  Microsoft uses their own encryption component called Secure Channel (aka SChannel).  So unless you installed something for your web services that uses OpenSSL your computer should be fine (IIS is unaffected).

This applies to all Windows operating systems and IIS versions, up to and including IIS 8.5 running on any of the following operating systems:

•             Windows Server 2003 and 2003R2
•             Windows Server 2008
•             Windows Server 2008R2
•             Windows Server 2012
•             Windows Server 2012R2

If you installed something like Apache on Windows you should look to the support website for the software installed.

So what should I do?

You should change passwords everywhere, EXCEPT on affected sites or services that haven’t patched the hole yet.  However, be sure that once they have updated their software that you change it on these as well.

You should also check your credit, account statements and other online activity to make sure no unauthorized entries appear.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s