The Heartbleed storm is still in full force. A week after the initial disclosure of the critical flaw in OpenSSL, a new threat dubbed Reverse Heartbleed has also been identified, and many vulnerable sites and applications are still scrambling to patch and update.
Last Thursday, Netskope—a cloud app analytics company—released a list of which enterprise cloud apps were susceptible to Heartbleed 48 hours after the news broke and found at least 100 enterprise cloud apps remained vulnerable at that time. That number has dropped by half since then.
The list of apps still vulnerable to Heartbleed includes popular services like Disqus, ShareThis, WebCRM, and The Pirate Bay. Netskope provides some basic guidance for affected sites, services, and apps. If you haven’t already done so, here is what you should do to remediate the Heartbleed threat:
Upgrade to OpenSSL version 1.0.1g or patch their system using a version of OpenSSL configured with -DOPENSSL_NO_HEARTBEATS.
Revoke and reissue all certificates. Ensure new certificates use new keys.
Alert users of the vulnerability and remediation steps.
Have users change their passwords after the above steps have been completed.
At least one major certificate authority is making it easier for customers to revoke and reissue certificates. Entrust is enabling customers to revoke potentially compromised certificates and create new ones for free.
The crucial part of that last step is that users should only bother changing their passwords AFTER the necessary updates have been made. Changing passwords while the site or service is still vulnerable to Heartbleed just exposes the new password to the same risk—greater actually since attackers are now aware of the OpenSSL flaw, and more likely targeting vulnerable sites.
Netskope is actively monitoring the vulnerable apps, and updating its count daily as vendors get the necessary patches applied. Check out the Netskope blog post to see if the apps you use are on the list, and keep track of when they’re once again safe to use.