Bitcoin Core Version 0.9.1 is out and it has addressed the Heartbleed OpenSSL vulnerability, also known as CVE-2014-0160. The vulnerability has been patched by major bitcoin exchanges in a matter of hours.
In case you missed it, Heartbleed is a pretty big deal in the security community. The crypto bug in OpenSSL (an open-source implementation of the SSL and TLS internet security protocols that encrypt and secure internet traffic) has opened up two thirds of the web to eavesdropping. It was uncovered earlier this week and many observers described it as nothing short of catastrophic.
Luckily the news quickly translated into industry-wide action: patches are being implemented across the world as we speak.
Bitcoin exchanges and wallets are targeted by hackers on a daily basis, so serious bitcoin outfits keep track of zero day exploits, new attack vectors and a host of other vulnerabilities.
The Bitcoin Core team says version 0.9.1 is a maintenance release to fix an urgent vulnerability (ie Heartbleed), and all users should upgrade as soon as possible. Most have heeded the call and as a result the vast majority of major bitcoin sites and exchanges have implemented the fix.
OpenSSL is the most popular code library for HTTPS encryption. It is not used by Microsoft IIS, so Windows-based systems cannot be directly affected.
While this is good news for most desktop users out there, IT departments would rather have it the other way around. OpenSSL is used on Linux, BSD and numerous custom server platforms. Mac OS X is affected, too. The bug does not affect all versions of OpenSSL, either. Some major banks like Chase and Schwab rely on Microsoft IIS. Others rely on Linux/Apache, Java and other systems.
Ars Technica reports the bug is the result of a “mundane coding error” in OpenSSL. The bug essentially allows attackers to gain access to chunks of private computer memory that handles the OpenSSL process.
The contents of said memory chunks may include authentication credentials or even private keys that can undermine the website’s entire cryptographic certificate.
Hence, website operators need to patch their servers with OpenSSL version 1.0.1g and update their security certificates. The problem is that the OpenSSL patch is just the first step. Users need to think about replacing their X.509 certificates once they apply the OpenSSL update.
All admins and users are advised to change their passwords as a precaution as activity is traceless, and this scale of vulnerability is unprecedented in OpenSSL.