Google stops the hemorrhaging -- patches OpenSSL Heartbleed bug
The Heartbleed bug is quite the devastating blow to computer security. The OpenSSL failure has the unfortunate effect of lowering computer users' confidence in SSL. However, the mistrust in SSL is misplaced, as it is only the OpenSSL implementation that is affected. No matter though, the damage is done and the flaw has been available for exploit since 2011.
When the news of the flaw was announced, many people's attention turned to Google. No, the company is not the cause of the bug, but since it controls such a huge part of the Internet, people hoped that its services were unaffected. Sorry people, Google was affected too. However, the company was also quick to patch, announcing the details of such today.
"You may have heard of 'Heartbleed', a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We've assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this -- and encourage others to report them -- so that that we can fix software flaws before they are exploited", says Matthew O'Connor, Product Manager, Google.
O'Connor provides the following information to Google Cloud Platform or Google Search Appliance customers:
Cloud SQL -- We are currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances. Please find instructions here.
Google Compute Engine -- Customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find instructions here.
Google Search Appliance (GSA) -- Engineers are working on a patch. The GSA team is finalizing their analysis and will post an update for customers within 24 hours via the Google Enterprise Support Portal.
Unfortunately, Android did not escape unscathed, but close to it. You see, the most current versions of the operating system (4.2, 4.3, 4.4) are totally protected. However, users still running Android 4.1.1 are susceptible. Sadly, this highlights the fragmentation dilemma, where users are often at the mercy of cell providers for updates. While Google says it is working with partners on patches, users probably shouldn't hold their breath.
Of course, Google should be commended on its swift action -- being transparent and quickly patching where they can. Most importantly, millions of Gmail users can breathe a collective sigh of relief. Ahhhhhhhhhh.
Are you pleased with Google's quick response? Do you feel safer? Tell me in the comments.