Vulnerabilities / Threats
4/11/2014
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Free Heartbleed-Checker Released for Firefox Browser

Browser plug-ins arrive for Firefox and Chrome that scan websites for Heartbleed risk

A developer today released a free add-on for Mozilla Firefox that checks websites for vulnerability to the massive Heartbleed flaw. Tom Brennan, founder of ProactiveRISK, says he wrote the tool after getting an overwhelming number of requests from family and friends about how to protect themselves from websites that are vulnerable to Heartbleed. "They just wanted their browser to tell them, like a radar detector," Brennan says. 

The browser plug-in provides color-coding warnings for websites: Red means the site is vulnerable to Heartbleed. Green means it's safe. There's also a yellow warning for sites that may be vulnerable.

"Like a traffic light on the Internet, it is the users' responsibility to be proactive about risk in addition to the sysadmin defender working hard every day to put out the fire of the day," Brennan says.

"The code is open-source and a donation to the community," he says. "And maybe it will stop the phone calls from users asking for suggestions to something they don't control."

A similar tool for Chrome was released yesterday by developer Jamie Hoyle. The Chromebleed Checker add-in for the Chrome browser also warns users of Heartbleed-vulnerable sites.

"Whilst some servers have been patched already, many remain that have not been patched. Chromebleed uses a web service developed by Filippo Valsorda and checks the URL of the page you have just loaded," the Chromebleed description says. "If it is affected by Heartbleed, then a Chrome notification will be displayed."

Valsorda this week released one of the first tools to scan websites for Heartbleed vulnerability. Errata Security did an initial scan this week for vulnerable sites using its masscan tool. Vendors such as Qualys and LastPass have released free website scanners, and there is also a Metasploit module for Heartbleed.

Meanwhile, Apple told news site Recode that IOS and OS X do not use the vulnerable version of SSL and that its "key Web-based services were not affected."

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/14/2014 | 4:18:47 PM
Re: Great tools
Chrome Checker is doing well for me also.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 9:11:54 AM
Re: Different Solutions
I second Ryan's question about where other DR community members are in their remediation efforts for Heartbleed. We've collected some data in our online flash poll (see column on the far right or click here). But so far about 65 percent of respondents have installed or in the process of installing the update and 40 percent are replacing digital certificates. 

If you haven't taken the poll, check it out. And also let's talk about what you are (or aren't doing about it) in the the comments. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/11/2014 | 6:13:59 PM
Different Solutions
These checkers are very nifty. From a corporate standpoint, my company ran vulnerability scans to check and see if any of our servers were running the OpenSSL with the HeartBeat extension. What are other methods people have been using and what steps were taken to remediate?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 10:58:41 AM
Great tools
I just tried the Chromebleed checker. Very cool! Thanks Kelly for reportng this and also to Jamie Hoyle (Chromebleed) and Tom Brennan (Firefox) for developing these tools. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

CVE-2014-3694
Published: 2014-10-29
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and ob...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.