Vulnerabilities / Threats
4/11/2014
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Free Heartbleed-Checker Released for Firefox Browser

Browser plug-ins arrive for Firefox and Chrome that scan websites for Heartbleed risk

A developer today released a free add-on for Mozilla Firefox that checks websites for vulnerability to the massive Heartbleed flaw. Tom Brennan, founder of ProactiveRISK, says he wrote the tool after getting an overwhelming number of requests from family and friends about how to protect themselves from websites that are vulnerable to Heartbleed. "They just wanted their browser to tell them, like a radar detector," Brennan says. 

The browser plug-in provides color-coding warnings for websites: Red means the site is vulnerable to Heartbleed. Green means it's safe. There's also a yellow warning for sites that may be vulnerable.

"Like a traffic light on the Internet, it is the users' responsibility to be proactive about risk in addition to the sysadmin defender working hard every day to put out the fire of the day," Brennan says.

"The code is open-source and a donation to the community," he says. "And maybe it will stop the phone calls from users asking for suggestions to something they don't control."

A similar tool for Chrome was released yesterday by developer Jamie Hoyle. The Chromebleed Checker add-in for the Chrome browser also warns users of Heartbleed-vulnerable sites.

"Whilst some servers have been patched already, many remain that have not been patched. Chromebleed uses a web service developed by Filippo Valsorda and checks the URL of the page you have just loaded," the Chromebleed description says. "If it is affected by Heartbleed, then a Chrome notification will be displayed."

Valsorda this week released one of the first tools to scan websites for Heartbleed vulnerability. Errata Security did an initial scan this week for vulnerable sites using its masscan tool. Vendors such as Qualys and LastPass have released free website scanners, and there is also a Metasploit module for Heartbleed.

Meanwhile, Apple told news site Recode that IOS and OS X do not use the vulnerable version of SSL and that its "key Web-based services were not affected."

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/14/2014 | 4:18:47 PM
Re: Great tools
Chrome Checker is doing well for me also.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 9:11:54 AM
Re: Different Solutions
I second Ryan's question about where other DR community members are in their remediation efforts for Heartbleed. We've collected some data in our online flash poll (see column on the far right or click here). But so far about 65 percent of respondents have installed or in the process of installing the update and 40 percent are replacing digital certificates. 

If you haven't taken the poll, check it out. And also let's talk about what you are (or aren't doing about it) in the the comments. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/11/2014 | 6:13:59 PM
Different Solutions
These checkers are very nifty. From a corporate standpoint, my company ran vulnerability scans to check and see if any of our servers were running the OpenSSL with the HeartBeat extension. What are other methods people have been using and what steps were taken to remediate?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 10:58:41 AM
Great tools
I just tried the Chromebleed checker. Very cool! Thanks Kelly for reportng this and also to Jamie Hoyle (Chromebleed) and Tom Brennan (Firefox) for developing these tools. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.