Amazon Web Services has rolled out fixes for several of its online services to address the “Heartbleed” vulnerability that has roiled the Internet this week with reports that hackers can use the flaw to access account information and passwords.
It’s one of many technology companies that have been scrambling to roll out updates to fix the vulnerabilities disclosed earlier this week in the OpenSSL cryptographic library that’s used to secure large amounts of data on the web.
Google, Facebook and Yahoo are among the companies also saying that they’ve rolled out fixes. Microsoft says it’s monitoring the issue and will deploy its own fixes as needed.
In a message this morning, security software firm Symantec gave this guidance for Internet users and businesses.
For businesses:
- Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile openSSL without the heartbeat extension.
- Businesses should also replace the certificate on their web server after moving to a fixed version of openSSL.
- Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory.
For consumers:
- Should be aware their data could have been seen by a third party if they used a vulnerable service provider
- Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so
- Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
Image via Codenomicon.
