Google Patches ‘Heartbleed’ Vulnerabilities In Apps, Services

Google has patched some of its key user services in response to the Heartbleed security vulnerability, including updates to Search, Gmail, YouTube, Wallet, Google Play and App Engine, but some other services are still in the process of receiving patches.

The patch updates were announced by Matthew O’Connor, a Google product manager, in a 9 April post on the Google Online Security Blog.

Data theft risk

“You may have heard of ‘Heartbleed’, a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption,” wrote O’Connor. “We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this – and encourage others to report them – so that that we can fix software flaws before they are exploited.”

Android users are not affected by the vulnerability, known as CVE-2014-0160, unless they are using Android 4.1.1, wrote O’Connor. Patching information for Android 4.1.1 to fix its flaws is being distributed to Android partners, he added.

Other Google services are also affected, including Google Cloud SQL, Google Compute Engine and Google Search Appliances, wrote O’Connor.

“We are currently patching Cloud SQL, with the patch rolling out to all instances [on 9 and 10 April],” he wrote. “In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances. Please find instructions here.”

For Google Compute Engine, “Customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL,” he wrote. “Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find instructions here.”

Broad impact

An update for Google Search Appliance users will soon be on the way, he wrote. “Engineers are working on a patch. The GSA team is finalising their analysis and will post an update for customers within 24 hours via the Google Enterprise Support Portal.”

The Heartbleed encryption vulnerability is perhaps the most serious Internet security flaw in recent memory, affecting hundreds of millions of people, according to an earlier eWEEK report. The Heartbleed flaw is found within OpenSSL, an open-source cryptographic library used for the Secure Sockets Layer (SSL), which is widely deployed on Linux servers and Internet infrastructure around the world.

On 7 April, the original OpenSSL advisory was first issued, which did not refer to the flaw as “Heartbleed”, but rather as a “Heartbeat” flaw in OpenSSL. Heartbeat refers to the technical monitoring function that the feature provides within OpenSSL.

The OpenSSL Project issued a fix almost immediately and passed it out as an update to Linux distributors. The vulnerability has been around for two years, meaning users are recommended to change security credentials.

Companies are recommended to upgrade their OpenSSL library to version 1.0.1g and create a new private key, generate a certificate request and purchase a new certificate from their CA (certificate authority). The new keys must be installed for each website supporting SSL/TLS (https: addresses).

Are you a security pro? Try our quiz!

Originally published on eWeek.