What is vulnerable to Heartbleed? Let me count the ways....

[thewayne]

VMWare servers, Nest thermostats, lots of home routers and firewalls, MyCloud servers, HP printers, videoconferencing systems, etc.

One positive thing in this article is that not all implementations of OpenSSL are vulnerable: older implementations are not vulnerable, and the version that has the bug apparently that segment of code is not mandatory and is not always implemented.

http://www.wired.com/2014/04/heartbleed_embedded/

Comments

[silveradept]

Man, you discover one bug in security software, and everything gets affected. And hopefully the patch-phobic can be convinced to update on this issue.

[thewayne.livejournal.com]

The problem is the pervasiveness of computer-based appliances (using the word appliance very broadly) and the cheapness of manufacturers. Look at wireless router makers. They get a distro of linux, get their coders to compile in the modules for managing wireless and routed communications, write a HTTP GUI, and ship it. They use the same basic modified distro for a very long time. A new spec comes out, they update it. But what they don't do is update the fundamental distro, and there's bug fix after bug fix coming down the pipe for the various programs that make up Linux. Odds are not in favor that they were fully patched before they burned that first RTM image. And there's zero money for them in releasing patches to update their routers because the money is in the next release.

I was quite surprised in setting up a new Dlink router for a friend last week: as I was configuring it to replace her dead one, the web interface came up and told me there was an updated BIOS for it! And it was a one-click update, I didn't have to download a file and upload it to the router. I'm seriously thinking about switching to Dlink when it comes time to replace my WAP, though I'm really interested in looking at DD-WRT and Tomato.

[silveradept]

Both of those have been installed on past routers of mine. They're quite good.