This is a little long in the tooth, but I’m caught playing catch-up on a number of things, so apologies on my part.
As most will be aware, there has been a lot of coverage about the Heartbleed OpenSSL vulnerability in the course of the last week, and the impact it may have had over the last two years in exposing what should have been secure information.
The vulnerability is so-called because it affects an extension to SSL (Secure Sockets Layer) which engineers dubbed Heartbeat. It is a server-side exploit which could affect almost any system running any version of OpenSSL from the past 2 years, and allows an attacker to gain control of up to 64kB of the server’s working memory at a time, enabling them to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
Because of the widespread nature of the issue and the concerns it raised, the Lab issued a blog post on the matter on Thursday April 10th, which reads in full: