This post is also available in: Italian

Reading Time: 2 minutes

Heartbleed is a software bug in the open-source cryptography library OpenSSL, which allows an attacker to read the memory of a server or a client, allowing (with special forget packets) reading (small) portition of the victim client. This could expose to lost of some data and potentially also confidendial data.

Heartbleed.com has a detailed explanation of the issue, which is related to the “heartbeat” section of OpenSSL’s transport layer security (TSL) protocols and has been in the wild since March 2012 and affect all version from OpenSSL 1.0.1 through 1.0.1f.

You need to upgrade the OpenSSL binaries if you are implementing services with SSL but also you have to change your password (or you certificates) if you are using (of have used) affected services (see also The Heartbleed Hit List: The Passwords You Need to Change Right Now).

On the Microsoft side seems that no service or product is affected and this is the official announce:

“After a thorough investigation, Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype, along with most Microsoft Services, are not impacted by the OpenSSL “Heartbleed” vulnerability. Windows’ implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections.”

More information about Microsoft Azure are available on this site:  Information on Microsoft Azure and Heartbleed.

Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections, for this reason Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.

But of course customers running Linux images in Azure Virtual Machines, or software which uses OpenSSL, may be affected.

For 3rd part tools or driver you have to verify with the vendor and could be that something is affected. For example was the case of Juniper VPN (see Microsoft patches Heartbleed in Windows 8.1 VPN client).

Share

Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-24. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-23. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.