Security Blog

The latest news and insights from Google on security and safety on the Internet

Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug)

9 avril 2014
Share on Twitter Share on Facebook
Google

36 commentaires :

Unknown a dit…

What about the older mini Google Search Appliances (GSA)? Is there a patch being worked on for these as well?

9 avril 2014 à 14:56
Moon a dit…

So to put this in a way that the average person would understand and be concerned about, would it be recommended that any Google/Gmail users change their current passwords?

9 avril 2014 à 15:09
Anonyme a dit…

News articles on Heartbleed are suggesting users change their passwords at sites that have patched this vulnerability. Is Google recommending Google Apps and other users change their account passwords?

9 avril 2014 à 15:54
Emelia a dit…

Can you tell us when Gmail, Wallet, search and other key services were patched?

9 avril 2014 à 16:34
FlickMontana a dit…

How do we know your SSL certificates aren't compromised? Did you replace them after patching? The certificate for mail.google.com says it was issued on April 2, and Heartbleed wasn't announced to the public until the 8th.

10 avril 2014 à 05:29
Unknown a dit…

In addition to patching OpenSSL, can you confirm if you've acquired new certificates, generated and deployed new SSL keys, and revoked old keys and certs?

10 avril 2014 à 08:21
Unknown a dit…

Do I have to change my password?

10 avril 2014 à 08:31
ef4897 a dit…

Are SMTP and POP now safe? I use them to read my gmail but I've been holding off.

Also, can you tell me if gmail was updated by around Tuesday at 8pm UTC time (around 1pm Pacific)? That's when I changed my password, and I'm wondering if I need to do it yet again.

Thank you!

I posted this on the uk site also before finding this one. Sorry for double-posting.

10 avril 2014 à 12:53
Anonyme a dit…

A recent ABC News article quotes an email from Google saying that users do not need to change their passwords.

Is that Google's official word on the matter? I've had a hard time finding an official statement on your site.

10 avril 2014 à 12:53
Anonyme a dit…

Heartbleed was publically announced recently. If Google's SSl implementation was vulnerable at ANY point, passwords could have been caputred. There is no indication that this vulnerability was not privately known prior to the public announcement. Would it not be prudent to change your passwords, regardless?

Cyber Security Professional

10 avril 2014 à 14:30
Unknown a dit…

Changing your passwords before a service is patched (fixed) is kinda pointless. You would be better off waiting until the services you use are fixed. I'm giving it a week or so before I go change my passwords. Meanwhile I will not be logging on to any services that have payment details linked to them. It is quite possible that the hacking community (yeah, they like to call themselves a community) did not learn of this vulnerability. If they had they would have exploited it heavily and it would probably have been detected much sooner. Much in the same way that if thieves kept stealing your stuff all the time you would probably soon realise that you had left the back door open. Now that the cat is out of the bag however, thieves and hackers (same thing?) have a short window of opportunity to exploit this vulnerability before the door is slammed shut.

10 avril 2014 à 15:53
Darrell Hixon a dit…

So after you patch all your systems only then you should inform the users to change their passwords. Until then a user changing his account passwords is basically a waste of time!

10 avril 2014 à 20:00
Dave W a dit…

@Blair Mansell - the Mini is not affected by this, as it has an older version of OpenSSL. The exploit only affects OpenSSL 1.0.1a through 1.0.1f.

10 avril 2014 à 21:16
Unknown a dit…

Even if Google say that it is safe and totally trust them, do you want to take that risk anyway?

According to the public website providing lot of information (http://heartbleed.com/) there's no way to detect such attacks, and knowing the bug has been there for the last two years, well you should totally change your passwords whatever Google, Facebook or Microsoft tell you, but not point to change them if the service/website is not patched yet.

11 avril 2014 à 02:40
patrick a dit…

I have to agree with the post from 'Cyber Security Professional'.
Just change your passwords. It is the only way you will be able to stop worrying about it. It sure is a hassle to change all my passwords, but still way less of a hassle than trying to recover from identity theft.

11 avril 2014 à 07:46
Alexander a dit…

Google stock Android 4.3 seems to be affected, too...
Heartbleed Detector App detects OpenSSL version 1.0.1e and warns to be affected by the bug!
Running on Galaxy Nexus / Baseband version I9250XXLJ1 / Kernel version 3.0.72-gfb3c9ac / Build number JWR66Y

11 avril 2014 à 14:10
HikingMike a dit…

I also saw the quote from Google on the ABC News article saying "They later added to their statement saying that, "The security of our users' information is a top priority. We fixed this bug early and Google users do not need to change their passwords." "

Now come on. All of us just read about this bug. We know Google used OpenSSL, and apparently the versions that were vulnerable since they said they applied patches, and if we logged in during the vulnerable period then our password is at risk. If there was an exploit running (well we know there were exploits from the proofs of concept, just don't know if there were big ones), then our passwords could be in someone's hands. And less likely but maybe more scary, if someone is storing net traffic and was able to get the certificates as Codenomicon says they were able to do, then lots of our previous communication (and password) could be decrypted.

Maybe Google wants to wait until they know everything needed is patched before asking users to change their passwords. If so, it would be nice to tell us that.

Or, if Google really thinks the risk is so low that changing passwords is not required, then please tell us that as well and give us reasons.

14 avril 2014 à 10:54
Anonyme a dit…

Check out http://www.gnupg.org or just go Google :)

14 avril 2014 à 11:37
Anonyme a dit…

Google has security whitepapers in case you dont notice, they're the specialists when it comes to this I believe. Just read what the blog says.

2 options: http://www.gnupg.org or just go Google since they are implementing countermeasures as well as everyone here obviously :)

14 avril 2014 à 11:43
Unknown a dit…

Can we have this clarified please? "patching information for Android 4.1.1 is being distributed to Android partners"

I own a MachSpeed Trio stealth G2 tablet, and according to them as of today (4/14/2014) they are still waiting to even hear about a patch..

14 avril 2014 à 12:16
Unknown a dit…

"All versions of Android are immune" means ALL versions of android of all-of-versions-still-being-maintained-by-google (which is like, only 4+?)

should 2.3 and such be safe?

15 avril 2014 à 14:34
gender a dit…

motorola razr maxx still runung on 4.1.2 who's fault is it?

15 avril 2014 à 22:56
Iceking29 a dit…

As does 4.4.2

16 avril 2014 à 01:46
James R. Barnes a dit…

wow, i don't see any update for my samsung galaxy s3 yet :'(

17 avril 2014 à 01:57
Anonyme a dit…

This post lists numerous services that were patched, but it also states "we are still working to patch some other Google services".

Given the amount of time that has passed since the article was written, I would guess that all services have been patched now. That said, confirmation from Google that this is the case would be welcome.

Thank you.

17 avril 2014 à 19:25
Mark Carter, OCT a dit…

Any chance Google can release a Heartbleed patch app directly to users? Many (most?) device vendors have completely abandoned their devices that are currently running Android 4.1.1 (I'm looking at you, Kobo...)

Google should look at establishing an update service for Android devices that's independent of device vendors, as vendors typically don't take any responsibility for updating their devices once they've got the consumers' cash. Even if such a service only offered device-agnostic security fixes it would be very valuable.

18 avril 2014 à 17:34
Fabio C. Barrionuevo da Luz a dit…

OpenVPN is also affected by Heartbleed bug

see: http://arstechnica.com/security/2014/04/heartbleed-exploited-to-hack-network-with-multifactor-authentication/

19 avril 2014 à 11:30
Icon Process Controls a dit…

I am searching this related stuff from long time.Now I can solve my problem from here.Thanks for sharing this great post with us.
Chemical Flow Meter

2 mai 2014 à 03:40
alarms a dit…

thanks for information

3 juin 2014 à 03:38
abou gazy a dit…

AMIRA MSOD

14 juin 2014 à 18:06
Anonyme a dit…

Gmail Password reset is very competitive solution without any detail for any technician, but dont worry it not impossible our technician can reset gmail password without any account detail -
http://lnkd.in/b4mTKYD

18 juin 2014 à 08:44
Icon Process Controls a dit…

Great post, but the time is administered for you priority, and this are changes every day, of course there are many distractions, for waste you time.
The Bag Nag

24 juin 2014 à 01:17
Unknown a dit…

I would also like to know the status of the Google mini.

10 juillet 2014 à 11:07
Unknown a dit…

@Dave Watts - can you point to any statement from Google that the Google Mini is not affected? My organization's security folks just flagged my mini - I need all the ammunition I can get to resist their urge to block it!

10 juillet 2014 à 11:17
Unknown a dit…

I am impressed from the post of cyber security post. Today it is very important for all of us to have fully protect from cyber disadvantages. In present it is increasing so highly.

Latest News Article

16 juillet 2014 à 05:59
Dave W a dit…

@Michael Tilley - I don't know if there's a public statement by Google Enterprise about the Google Mini here. But only certain versions of the GSA software are vulnerable. They're the versions that include OpenSSL 1.0.1a through 1.0.1f.

OpenSSL 1.0.1a was released on 19 April 2012, according to the OpenSSL changelog. The latest version of the Mini runs GSA 5 software, which significantly predates that. So, unless Google has time-travel technology, you're safe from this problem with the Mini.

You can easily check the status of an individual server using free tools. I suggest you use one of those.

I wrote an overview post about Heartbleed, with a little bit about the GSA and the testing tools I just mentioned. You can read it here:

http://blog.figleaf.com/2014/04/my-heart-bleeds-for-you-security-wise.html

17 juillet 2014 à 11:08

Enregistrer un commentaire

  

Libellés


  • #sharethemicincyber
  • #supplychain #security #opensource
  • android
  • android security
  • android tr
  • app security
  • big data
  • biometrics
  • blackhat
  • C++
  • chrome
  • chrome security
  • connected devices
  • CTF
  • diversity
  • encryption
  • federated learning
  • fuzzing
  • Gboard
  • google play
  • google play protect
  • hacking
  • interoperability
  • iot security
  • kubernetes
  • linux kernel
  • memory safety
  • Open Source
  • pha family highlights
  • pixel
  • privacy
  • private compute core
  • Rowhammer
  • rust
  • Security
  • security rewards program
  • sigstore
  • spyware
  • supply chain
  • targeted spyware
  • tensor
  • Titan M2
  • VDP
  • vulnerabilities
  • workshop


Archive


  •     2023
    • mars
    • févr.
    • janv.
  •     2022
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2021
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2020
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2019
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2018
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2017
    • déc.
    • nov.
    • oct.
    • sept.
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2016
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2015
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2014
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • avr.
    • mars
    • févr.
    • janv.
  •     2013
    • déc.
    • nov.
    • oct.
    • août
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2012
    • déc.
    • sept.
    • août
    • juin
    • mai
    • avr.
    • mars
    • févr.
    • janv.
  •     2011
    • déc.
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • juin
    • mai
    • avr.
    • mars
    • févr.
  •     2010
    • nov.
    • oct.
    • sept.
    • août
    • juil.
    • mai
    • avr.
    • mars
  •     2009
    • nov.
    • oct.
    • août
    • juil.
    • juin
    • mars
  •     2008
    • déc.
    • nov.
    • oct.
    • août
    • juil.
    • mai
    • févr.
  •     2007
    • nov.
    • oct.
    • sept.
    • juil.
    • juin
    • mai

Feed

Follow
Give us feedback in our Product Forums.
  • Google
  • Privacy
  • Terms