Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

April 9th, 2014

Heartbleed affects much of internet. Time to change your passwords again.

Heartbleed security threat scares internetThe security community is buzzing with news of a threat called Heartbleed. The bug reportedly affects nearly two-thirds of all websites, including Yahoo Mail, OKCupid, WeTransfer, and others. The bug takes advantage of a vulnerability in OpenSSL, an open-source protocol used to encrypt vast portions of the web. It allows cybercrooks to steal encryption keys, usernames and passwords, financial data and other sensitive data they have no right to.

In a blog post to their users, Tumblr described it this way,

…that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.

The latest version of OpenSSL fixes the problem and websites are already upgrading.

However, your popular social site, your company’s site, commerce site, hobby site, sites you download software from or even sites run by your government might be using vulnerable OpenSSL, warns Codenomicon on their site about Heartbleed. GitHub compiled a list of sites that are vulnerable, but some may have already been updated. AVAST’s website is safe from the Heartbleed threat.

You can check a site’s vulnerability status at the Heartbleed test site which enables users to enter domains. If a site comes back as an “uh-oh” but doesn’t say “heartbleed” then there may be something else wrong, but it’s not Heartbleed. Update: AVAST’s COO, Ondrek Vlcek recommends this checker, https://www.ssllabs.com/ssltest/analyze.html.

What can you do?

The best advice is to stay away from affected sites for a while. In their report on Heartbleed, Tor advises, “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”

You need to change your passwords for any vulnerable sites as well. Once affected sites start making the updates, they will most likely advise their customers to change their passwords. Earlier today, Tumblr sent their users a note encouraging them to change passwords to all their online accounts immediately.

“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr said on their blog.

We have written tips about creating strong passwords in the avast! blog. Read My password was stolen. What do I do now? as a reminder.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

Categories: General Tags: , ,
  1. waking
    April 10th, 2014 at 02:36 | #1

    Advising people to change their passwords to a site before
    the vulnerability at that site has been patched provides
    scant guarantee of security. While the vulnerability still
    exists at that site new passwords are just as much at risk
    as old passwords.

    Changing passwords *after* the vulnerability has been closed
    is the best safeguard.

    • April 10th, 2014 at 20:54 | #2

      You are right. If a provider suggests that you change your password, as Tumblr did, it should be done immediately. Otherwise, you would be prudent to wait a few days.

  2. gregorio
    April 12th, 2014 at 05:08 | #3

    Deborah, I found no direct information whether Avast’s web servers were OK.
    Here’s result’s of using Lastpass test 22:30est 11apr2014:
    /LastPass Heartbleed checker

    WARNING: forum.avast.com was confirmed as vulnerable either publicly via statement or on 4/8/2014 LINK

    Site: forum.avast.com
    Server software: ASW
    Was vulnerable: Possibly (might use OpenSSL, but we can’t tell)
    SSL Certificate: Possibly Unsafe (created 9 months ago at Jul 2 00:00:00 2013 GMT)
    Assessment: It’s not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.
    //
    WARNING: blog.avast.com was confirmed as vulnerable either publicly via statement or on 4/8/2014 LINK

    Site: blog.avast.com
    Server software: nginx
    Was vulnerable: Probably (known use OpenSSL, but might be using a safe version)
    SSL Certificate: Possibly Unsafe (created 9 months ago at Jul 2 00:00:00 2013 GMT)
    Assessment: It’s not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.
    /End of results
    Deborah, if you could, can you check and update your post here or add link to where Avast has made any public statement?

  3. gregorio
    April 12th, 2014 at 05:28 | #4

    Deborah, I did see the line above in your blog:
    “AVAST’s website is safe from the Heartbleed threat.”
    But that statement does not explain why Avast is still being reported by others as vulnerable: Probably vulnerable by LastPass, but McAfee and Github say not vulnerable. Maybe something to explain LastPass results.

    • April 12th, 2014 at 18:08 | #5

      Thank you for your question, Gregoria. Ondrej Vlcek, AVAST’s COO, has confirmed that it was fixed immediately. “All our servers are fine,” he added.

      He also mentioned that the Lastpass Heartbleed checker that you referenced uses outdated information. He suggest a much better checker: https://www.ssllabs.com/ssltest/analyze.html

Comments are closed.