April 18, 2014 (16:27 PDT): Symantec has posted a new blog written by our Security Response team titled, "Dr. Strangebug, or How I Learned to Stop Worrying and Accept Heartbleed", which offers a new perspective on the recent Heartbleed vulnerability and tips to minimize your risk. Additionally, we're continuing to update our product matrix daily with the latest Symantec product information. We encourage our customers to keep checking this page and specific product support pages for current information and updates.
Scope of Vulnerability
- This is not a vulnerability with SSL/TLS
- SSL/TLS is not broken, nor are the SSL certificates issued by Symantec
- Users of Open SSL versions 1.0.1 through (and including) 1.0.1f are affected
Symantec has posted a matrix with the latest Symantec product information. We will continue to update this with new information. We encourage our customers to keep checking this page and specific product support pages for current information and updates.
Yes. As the world’s largest Certification Authority, Symantec has already taken steps to patch systems using affected versions of OpenSSL. Additionally, we are following best practices and have re-keyed all certificates on web servers that used affected versions of OpenSSL. We highly recommend that the community at large follow these best practices as well.
While there was never an issue with Symantec Certificates, to address the OpenSSL bug, we will be offering replacements free of charge for our existing customers and the old certificates will be revoked.
An overview of the vulnerability is available on the Security Response blog.
How to Minimize Your Risk
- Check your version of OpenSSL and either:
- (1) Recompile OpenSSL without the heartbeat extension with the -DOPENSSL_NO_HEARTBEATS flag
- (2) Update to the latest fixed version of the software (1.0.1g) if you are using OpenSSL versions 1.0.1 through (and including) 1.0.1f
- After moving to a fixed version of OpenSSL, as part of best practices, contact the certificate’s issuing Certification Authority for a replacement
- Finally, and as a best practice, businesses should also consider resetting end-user passwords that potentially may have been visible in a compromised server memory
- Be aware that your sensitive data such as passwords may have been seen by a third party if the sites you visit used a vulnerable version of the OpenSSL library.
- Monitor any notices from the vendors or companies you use. Once a vendor has communicated to you to change your passwords, do so promptly.
- Watch out for potential phishing emails from attackers asking you to update your password. To avoid going to an impersonated website, stick with the official site domain.
- Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability.
- Monitor your bank and credit card statements to check for any unusual transactions