A number of companies have begun to issue “all clear” messages in regard to the Heartbleed flaw.
Following an issue regarding Akamai, where it issued an update where it admitted to having a bug where it could protect only three parts of a six-part RSA key, technology vendors have now begun issuing statements where they are stating that they have checked, certified and clarified that there are no issues.
In its statement, Dell said it was “actively investigating” across its entire product base, the extent to which the OpenSSL Heartbleed vulnerability might be present. It confirmed that many of its products were already protected against exploits of this vulnerability, and it was actively closing any remaining issues as quickly as possible. “The security of Dell systems powering Dell.com are not affected by this issue.”
Microsoft said in its statement that after “a thorough investigation”, it determined that Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype, and Microsoft Services were not impacted by the vulnerability. “Windows’ implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections.”
Check Point said that as well as its network security products offering multiple protections from the Heartbleed vulnerability, its network security products are not susceptible to Heartbleed exploits as the company utilises a non-vulnerable version of OpenSSL.
Statements and updates have also been issued by companies including Amazon Web Services, Twitter, Yahoo, Ubuntu, Cisco, Juniper, Pinterest, Tumblr, GoDaddy, Flickr, Minecraft, Netflix, Soundcloud, Commonwealth Bank of Australia (main website, not net banking website), CERT Australia website, Instagram, Box, Dropbox, GitHub, IFTTT, OKCupid, Wikipedia,WordPress and Wunderlist.
In an email to IT Security Guru, Steve Durbin, global vice president of the Information Security Forum said that this showed that Heartbleed has done two things: shown that 100 per cent security doesn’t exist, that there will be security failures and you can’t protect everything and encryption will not do it all for you, so plan for cyber resilience; and secondly that trust is essential for good security, despite it being significantly eroded.
He said: “For me, any company that tells me it has found the Heartbleed issue and is dealing with it gets brownie points. They
’re communicating with me, they’re telling me they’re doing something, and if they get it wrong and Heartbleed morphs or we see a son of Heartbleed and they come back and say ‘whoops we’re stuffed again’, for me that’s better than an ominous silence where I’ve no clue if they’ve been hit, have handled it, are in denial or their systems are all over the floor and they’re trying to get them back. “