Vulnerabilities / Threats
4/11/2014
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Free Heartbleed-Checker Released for Firefox Browser

Browser plug-ins arrive for Firefox and Chrome that scan websites for Heartbleed risk

A developer today released a free add-on for Mozilla Firefox that checks websites for vulnerability to the massive Heartbleed flaw. Tom Brennan, founder of ProactiveRISK, says he wrote the tool after getting an overwhelming number of requests from family and friends about how to protect themselves from websites that are vulnerable to Heartbleed. "They just wanted their browser to tell them, like a radar detector," Brennan says. 

The browser plug-in provides color-coding warnings for websites: Red means the site is vulnerable to Heartbleed. Green means it's safe. There's also a yellow warning for sites that may be vulnerable.

"Like a traffic light on the Internet, it is the users' responsibility to be proactive about risk in addition to the sysadmin defender working hard every day to put out the fire of the day," Brennan says.

"The code is open-source and a donation to the community," he says. "And maybe it will stop the phone calls from users asking for suggestions to something they don't control."

A similar tool for Chrome was released yesterday by developer Jamie Hoyle. The Chromebleed Checker add-in for the Chrome browser also warns users of Heartbleed-vulnerable sites.

"Whilst some servers have been patched already, many remain that have not been patched. Chromebleed uses a web service developed by Filippo Valsorda and checks the URL of the page you have just loaded," the Chromebleed description says. "If it is affected by Heartbleed, then a Chrome notification will be displayed."

Valsorda this week released one of the first tools to scan websites for Heartbleed vulnerability. Errata Security did an initial scan this week for vulnerable sites using its masscan tool. Vendors such as Qualys and LastPass have released free website scanners, and there is also a Metasploit module for Heartbleed.

Meanwhile, Apple told news site Recode that IOS and OS X do not use the vulnerable version of SSL and that its "key Web-based services were not affected."

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/14/2014 | 4:18:47 PM
Re: Great tools
Chrome Checker is doing well for me also.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 9:11:54 AM
Re: Different Solutions
I second Ryan's question about where other DR community members are in their remediation efforts for Heartbleed. We've collected some data in our online flash poll (see column on the far right or click here). But so far about 65 percent of respondents have installed or in the process of installing the update and 40 percent are replacing digital certificates. 

If you haven't taken the poll, check it out. And also let's talk about what you are (or aren't doing about it) in the the comments. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/11/2014 | 6:13:59 PM
Different Solutions
These checkers are very nifty. From a corporate standpoint, my company ran vulnerability scans to check and see if any of our servers were running the OpenSSL with the HeartBeat extension. What are other methods people have been using and what steps were taken to remediate?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 10:58:41 AM
Great tools
I just tried the Chromebleed checker. Very cool! Thanks Kelly for reportng this and also to Jamie Hoyle (Chromebleed) and Tom Brennan (Firefox) for developing these tools. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.