'Heart bleed Bug' test update: Akamai says their fix failed - Check websites for safety now
Akamai Technologies Inc., an Internet content delivery network that manages about one-third of the Internet's traffic, released a fix or 'patch' on Firday intended to protect against the critical web security threat, the 'Heartbleed Bug.' It turns out, however, that the patch was not a fix after all.
Akamai's chief security officer, Andy Ellis, wrote on the company's blog Sunday night that although he believed the patch fully fixed the issue, a security researcher found that the solution had a bug, making it a partial, not full, fix.
"In short: we had a bug," Ellis wrote. The chief officer explained that the patch only fixed 3 out of 6 'critical values,' leaving the other 3 unprotected.
Now dubbed one of the worst threats in Internet history, the Heartbleed Bug has security officials scrambling for a fix.
Two years ago, a change was made to OpenSSL (an encryption technology designed to protect sensitive data while surfing the web) leaving it susceptible to hackers.
By using the Heartbleed Bug, hackers were able to avoid website security and gain access to usernames, passwords and other sensitive information.
Ellis initially stated on Friday that although Akamai was exposed to the Heartbleed Bug between August 2012 and April 4, 2014, the fix implemented in the company's network meant the bug was no longer a threat.
"As a courtesy to us, we were notified shortly before public disclosure, which gave us enough time to patch our systems," Ellis wrote. "We were asked not to publicly disclose the vulnerability, as doing so would have shortened the window of opportunity for others to fix their systems. Once we were notified, our incident management process governed patching, testing, and deploying the fix to our network safely."
The announcement came over the weekend, just before security researcher Willem Pinckaers wrote in his own blog post that the OpenSSL fix Akamai previously implemented, did not completely fix the problem.
"This patch does not, on its own, protect against private key disclosure through Heartbleed," Pinckaers told Akamai customers. "This means your certificates on Akamai servers need to be rotated, and anything sent before then is vulnerable to Heartbleed compromise. If you send customer passwords to Akamai, you should ask your customers to change their passwords again. They'll enjoy that."
CNET reports that Akamai is now working on another fix for the critical security issue.
Click here to test if your favorite sites are affected.