The widespread bug surfaced late on Monday, when it was disclosed
that a pernicious flaw in a widely used Web encryption program known
as OpenSSL opened hundreds of thousands of websites to data theft.
Developers rushed out patches to fix affected Web servers when they
disclosed the problem, which affected companies from Amazon.com Inc
and Google Inc to Yahoo Inc.
Yet pieces of vulnerable OpenSSL code can be found inside plenty of
other places, including email servers, ordinary PCs, phones and even
security products such as firewalls. Developers of those products
are scrambling to figure out whether they are vulnerable and patch
them to keep their users safe.
"I am waiting for a patch," said Jeff Moss, a security adviser to
the U.S. Department of Homeland Security and founder of the Def Con
hacking conference. Def Con's network uses an enterprise firewall
from McAfee, which is owned by Intel Corp's security division.
He said he was frustrated because people had figured out that his
email and Web traffic is vulnerable and posted about it on the
Internet — but he can't take steps to remedy the problem until Intel
releases a patch.
"Everybody is going through the exact same thing I'm going through,
if you are going through a vendor fix," he said.
An Intel spokesman declined comment, referring Reuters to a company
blog that said: "We understand this is a difficult time for
businesses as they scramble to update multiple products from
multiple vendors in the coming weeks. The McAfee products that use
affected versions of OpenSSL are vulnerable and need to be updated."
It did not say when they would be released.
The Heartbleed vulnerability went undetected for about two years and
can be exploited without leaving a trace, so experts and consumers
fear attackers may have compromised large numbers of networks
without their knowledge.
Companies and government agencies are now rushing to understand
which products are vulnerable, then set priorities for fixing them.
They are anxious because researchers have observed sophisticated
hacking groups conducting scans of the Internet this week in search
of vulnerable servers.
"Every security person is talking about this," said Chris Morales,
practice manager with the cybersecurity services firm NSS Labs.
[to top of second column]
Cisco Systems Inc, the world's biggest telecommunications equipment
provider, said on its website that it is reviewing dozens of
products to see if they are safe. It uncovered about a dozen that
are vulnerable, including a TelePresence video conferencing server,
a version of the IOS software for managing routers. A company
spokesman declined to comment on how those issues might affect
users, saying Cisco would provide more information as it became
Oracle Corp has not posted such an advisory on its support site.
Company spokeswoman Deborah Hellinger declined to comment on
Microsoft Corp, which runs a cloud computing and storage service,
the Xbox platform and has hundreds of millions of Windows and
Officer users, said in a statement that "a few services continue to
be reviewed and updated with further protections." It did not
Officials with technology giants IBM and Hewlett-Packard Co could
not be reached. EMC Corp and Dell said they had no immediate
Security experts said the vulnerable code is also found in some
widely used email server software, the online browser anonymizing
tool Tor and OpenVPN, as well as some online games and software that
runs Internet-connected devices such as webcams and mobile phones.
Jeff Forristal, chief technology officer of Bluebox Security, said
that version 4.1.1 of Google's Android operating system, known as
Jelly Bean, is also vulnerable. Google officials declined comment on
Other security experts said that they would avoid using any device
with the vulnerable software in it, but that it would take a lot of
effort for a hacker to extract useful data from a vulnerable Android
(Editing by Edwin Chan and Eric Walsh)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.