Microsoft: Azure? Windows? Heartbleed? No way, maybe if you're using Linux
You will have heard by now that a major vulnerability in the OpenSSL library was just made public. Called Heartbleed, it affects the security of a huge number of cloud services and sites as well as various products, like operating systems and apps, which have employed it during the past two years. The impact can be devastating, as there is no way of telling if Heartbleed was exploited, or how much data may have been stolen so far.
A number of companies have already announced the patching of their OpenSSL-toting services and products. Google was among the first to do so, yesterday. Evernote, however, just revealed that its users are not affected. Microsoft has also decided to shed light on whether Heartbleed impacts its users, saying that Windows Azure, Microsoft account, and Windows are immune.
That is good news, as Microsoft's products are used by billions of people, and the potential damage would have been difficult to contain. "Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability", says the software giant. "Windows' implementation of SSL/TLS was also not impacted".
The reason is that the aforementioned products use a different implementation to handle SSL connections. "Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections", adds the company. "Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability".
The software giant warns that customers running Linux in Windows Azure may be exposed, as distributions rely on OpenSSL. Microsoft is advising them to look at the distributions' providers for information on how to patch Heartbleed.