Android Patches Heartbleed Related Bug

android

Today Google released a patch for Android, securing a hole related to the “Heartbleed Bug” from earlier this year, on its Nexus line. In addition, this patch also fixed other smaller security issues with the operating system, as well a battery drainage issue when using the camera on these devices. It is currently unknown whether this update will be applied to other Android based devices as well, or if the update is exclusive. This update is currently available for the Nexus 4, 5, 7, and 10. The primary purpose of the update was fixing a library in the OpenSSL (Secure Socket Layer). The cryptographic library referred to as TLS (Transport Layer Security), which is used for encrypting information.

The “Heartbleed Bug” was a security flaw discovered in April of this year, by a Google engineer Neel Mehta and the Codenomicon security firm. It has been called “one of the most serious security problems… ever“. Basically the “Heartbleed Bug” allowed pretty much anyone on the internet to read information stored in the memory of any system utilizing the infected versions of the OpenSSL software. Potentially this flaw could allow hackers to eavesdrop on any communication done over systems with this software, not to mention obtain other secured information like passwords and usernames.

In order to protect themselves from this security flaw, system administrators simply needed to update their systems to a newer version of the OpenSSL software. Unfortunately, this large security flaw was introduced in a version of OpenSSL released just before midnight on December 31, 2011, update 1.0.1 through 1.0.1f were vulnerable. It was not until March 14, 2012 that the OpenSSL version 1.0.1 was released to the wild, and had the most potential for damage. As soon as the security issue was realized the fix, OpenSSL version 1.0.1g was released, and the hole was able to be sealed. Major companies such as Yahoo and Amazon, sent out mass emails that week, informing their users that they should change their passwords immediately. Because of how long the security flaw went unchecked, it is estimated that nearly 17 percent of the Internets most supposedly secure websites had become vulnerable to the flaw, so the reach of “Heartbleed” went far beyond just a few major companies. Soon thereafter Android began releasing patches to secure the systems that had the vulnerability bug related to “Heartbleed”.

As far as Android is concerned, the “Heartbleed Bug” mostly affected Android 4.1.1 Jellybean, which was installed on millions of devices around the world at the time. Many Android users had to wait, as their mobile carrier rolled out the security patches for the devices running the mobile OS(Operating System). The majority of sites and devices, are secure now, however, it is possible that lesser known sites could still carry the security flaw. In addition, little is known about the time before the bug was discovered, because the bug leaves no trace that anything out of the ordinary happened, it is hard to know which sites may have been breached. Androids releasing of a patch that will secure this “Heartbleed” related bug, is coming at a time when security in the digital world is closer to the forefront of people’s minds.

By Phillip Schmidt

Sources:
PC World
Heartbleed
ReadWrite
OpenSSL.org
Bloomberg
Business Insider

Your Thoughts?