Security researchers have discovered a vulnerability, named the Heartbleed bug, in the OpenSSL encryption library that could allow attackers to access secure information stored in a server’s system memory, including usernames, passwords, and private encryption keys. OpenSSL is used by a large percentage of websites and apps in encrypting information passing between your system and the servers hosting the sites you visit online.
OpenSSL has released an emergency patch, OpenSSL 1.0.0g, to correct the bug. System administrators should apply the update as soon as possible. For more information, see the company’s security advisory at https://www.openssl.org/news/secadv_20140407.txt.
Be aware that many online services and websites are affected by this vulnerability and that users may be asked to change their credentials (passwords and/or usernames). As always, if you receive an email asking you to update your password and/or username, do not click any links in the email. Rather, open a web browser window and navigate to the website directly. Since cyber criminals are aware of this bug, they may take advantage of it by sending out phish emails.
A non-technical description of the Heartbleed bug is available at http://heartbleed.com. For a more technical explanation, please see http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html. You can also read the US Computer Emergency Readiness Team (US-CERT) alert at https://www.us-cert.gov/ncas/alerts/TA14-098A.