Google Patches ‘Heartbleed’ Vulnerabilities In Apps, Services

Google has patched some of its key user services in response to the Heartbleed security vulnerability, including updates to Search, Gmail, YouTube, Wallet, Google Play and App Engine, but some other services are still in the process of receiving patches.

The patch updates were announced by Matthew O’Connor, a Google product manager, in a 9 April post on the Google Online Security Blog.

Data theft risk

“You may have heard of ‘Heartbleed’, a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption,” wrote O’Connor. “We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this – and encourage others to report them – so that that we can fix software flaws before they are exploited.”

Android users are not affected by the vulnerability, known as CVE-2014-0160, unless they are using Android 4.1.1, wrote O’Connor. Patching information for Android 4.1.1 to fix its flaws is being distributed to Android partners, he added.

Other Google services are also affected, including Google Cloud SQL, Google Compute Engine and Google Search Appliances, wrote O’Connor.

“We are currently patching Cloud SQL, with the patch rolling out to all instances [on 9 and 10 April],” he wrote. “In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances. Please find instructions here.”

For Google Compute Engine, “Customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL,” he wrote. “Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find instructions here.”

Broad impact

An update for Google Search Appliance users will soon be on the way, he wrote. “Engineers are working on a patch. The GSA team is finalising their analysis and will post an update for customers within 24 hours via the Google Enterprise Support Portal.”

The Heartbleed encryption vulnerability is perhaps the most serious Internet security flaw in recent memory, affecting hundreds of millions of people, according to an earlier eWEEK report. The Heartbleed flaw is found within OpenSSL, an open-source cryptographic library used for the Secure Sockets Layer (SSL), which is widely deployed on Linux servers and Internet infrastructure around the world.

On 7 April, the original OpenSSL advisory was first issued, which did not refer to the flaw as “Heartbleed”, but rather as a “Heartbeat” flaw in OpenSSL. Heartbeat refers to the technical monitoring function that the feature provides within OpenSSL.

The OpenSSL Project issued a fix almost immediately and passed it out as an update to Linux distributors. The vulnerability has been around for two years, meaning users are recommended to change security credentials.

Companies are recommended to upgrade their OpenSSL library to version 1.0.1g and create a new private key, generate a certificate request and purchase a new certificate from their CA (certificate authority). The new keys must be installed for each website supporting SSL/TLS (https: addresses).

Are you a security pro? Try our quiz!

Originally published on eWeek.

Todd R. Weiss

Freelance Technology Reporter for TechWeekEurope and eWeek

Recent Posts

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

34 mins ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

16 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

18 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

20 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

20 hours ago