Heart bleed bug update: Smartphones running on Android Jelly Bean 4.1.1 affected


According to Google, all Android versions are immune to the Heartbleed bug-- except for Jelly Bean 4.1.1.

Google calls the Jelly Bean vulnerability a "limited exception" on its blog, with less than 10% of active devices using Android version 4.1.1. But with over 900 million Android devices activated worldwide, this means tens of millions of users are affected by the OpenSSL flaw.

Jelly Bean, the most popular version of Android, was originally released in July 2012. There were several versions released through October 2013, extending from 4.1 to 4.3.1. Only version 4.1.1 is vulnerable to Heartbleed, and "patching information" is being distributed to wireless carriers and phone manufacturers. Android software update responsibilities are passed to these Android partners, slowing down the process.

To see which Android version your phone is using, go to "Settings," then select "About phone." Mobile protection app Lookout also allows users to see if their Android version is vulnerable.

Nicknamed "Heartbleed," the "bug" is actually a weakness in OpenSSL's cryptographic software that makes SSL/TLS encryption backfire on computer users. The "https" protocol that is supposed to identify a secure website is actually a signal to hackers that the site is vulnerable to cyber attack. The hackers can then trick a computer's server into sending data stored in its memory.

Google security researcher Neel Mehta was the first to discover Heartbleed, and the weakness was confirmed by internet security firm Codenomicon. Alarmingly, researchers found that the Heartbleed flaw has been in OpenSSL for two years. It is unknown if attacks have been carried out, because exploiting the software loophole leaves no trace.

To end Heartbleed's hold on the server, vendors and service providers must adopt the Fixed OpenSSL software, which was released Monday.

"Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users," Codenomicon instructs. "Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.