Vendors address the Heartbleed bug
Which products and services are affected by the Heartbleed bug in OpenSSL? Vendors have started issuing security advisories telling users which of their products are safe and which will have to be updates.
Cisco has shared that over a dozen of its products and 2 of its services vere found to be vulnerable.
The services – Cisco’s Registered Envelope Service and Webex Messenger Service – have already been patched, but the products, which include the company’s IOS XE operating system, have yet to be fixed. And, the list might yet turn out to be incomplete, as the investigation is still ongoing.
“A subset of Juniper’s products were affected by the Heartbleed vulnerability including certain versions of our SSL VPN software, which presents the most critical concern for customers. We issued a patch for our SSL VPN product on Tuesday and are working around the clock to provide patched versions of code for our other affected products,” Juniper Networks’ spokesperson has revealed, and urged customers to contact Juniper’s Customer Support Center for detailed advisories and product updates.
Microsoft has assured users that most Microsoft’s offerings are not vulnerable, including all Windows operating systems and IIS versions.
“Customers running software on Windows that uses OpenSSL instead of SChannel [Window’s own encryption component](for example, running the Windows version of Apache), may be vulnerable. We recommend that all customers who may be vulnerable follow the guidance from their software distribution provider,” they added.
Many other vendors have issued advisories detailing temporary results of their investigation regarding the affect of the bug on their products. You can find most of them linked here (check out both the post and the comments) and here.
We can look forward to a lot of security patching in the coming weeks and months, and when it comes to Internet of Things devices, it’s possible that even years will pass until the patches are released (if ever).