Change Your Passwords Post-Heartbleed

The much-covered Heartbleed vulnerability in OpenSSL, has been detected, exploited, patched, and fixed on every major website by now, so it’s the perfect time to change your passwords.

Heartbleed is a security bug that created a vulnerability in OpenSSL’s Transport Layer Security (TLS) protocol implementation, specifically that of its heartbeat extension. The defect permitted up to 64 kilobytes of memory on an affected server to be read with each heartbeat. Worse, the timing of the bug’s disclosure was such that many servers could not be fixed in time to prevent the potential for some level of exploitation.

It is therefore prudent to assume that at least one of your passwords may potentially have been compromised by Heartbleed. The most widely recommended course of action is to change all of your passwords on all websites once the patch is applied to them. At this point, all major and nearly all minor sites will have the appropriate fixes in place. So take the time to change and memorize a new set of passwords now, if you haven’t already done so.

Conveniently, there is a handy test you can run on any URL to verify that it is no longer vulnerable to Heartbleed.

Emergency Update for Adobe Flash

In response to two zero-day vulnerabilities, Adobe has released out-of-band emergency updates for their Flash Player.

Since last fall, Flash has formally been on a regular update schedule like many large software projects, but InfoWorld reports that this emergency fix constitutes the first patch since the schedule was established. Adobe identifies the update as “critical” as the vulnerabilities it fixes are being actively exploited in the wild on both Windows and Mac OS X.

CNET also has an article about this update, and includes a convenient list of recommendations for end users.

Oracle Java Patch Released

Oracle has released a Java patch to address the major vulnerability reported a few days ago. Everyone is strongly recommended to install the update.

Sophos’ Naked Security blog offers this article that includes information about the vulnerability and the patch.

Oracle’s page for the the patch, Java 7 Update 11, includes technical details of the fixes for this and another vulnerability. Downloads for the latest version of Java, including this update, are located at