The Heartbleed Bug

We have received a number of inquiries regarding the vulnerability of our services to the Heartbleed bug. Fortunately, xRM services are not affected by Heartbleed. Microsoft Dynamics CRM Online and Office 365 services are also not affected.

What is Heartbleed?

Heartbleed refers to a security vulnerability in OpenSSL 1.01 and 1.02 beta. OpenSSL is used by various web, mail, and VPN systems, including some of the most popular websites and email services in the world.

The technical description of the Heartbleed vulnerability states the following:

“The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.”

In plain English, the Heartbleed bug allows hackers and other malicious types to bypass the encryption used by many servers and obtain sensitive information such as passwords, emails, usernames, and account information from vulnerable servers that make use of the popular OpenSSL library and Transport Layer Security protocol (TSL).

Why are xRM services not affected?

xRM servers do not make use of the affected OpenSSL Library and TSL. Microsoft Dynamics CRM Online and Microsoft Office 365 do not make use of OpenSSL either. All SSL connections to our environment make use of an F5 external load balancer running BIG-IP LTM version 10.2.2. F5 has declared that this version of its load balancer is known not to be vulnerable. Our own investigation has also confirmed that our services are not vulnerable. We will continue to monitor the situation for any additional developments that may place our customers at increased risk of attack.

What about Microsoft Services?

Here is what Microsoft has said about the vulnerability of its own services:

“After a thorough investigation, Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype, along with most Microsoft Services, are not impacted by the OpenSSL “Heartbleed” vulnerability. Windows’ implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections.”

What should I do now?

Since xRM and Microsoft services are currently unaffected, you do not need to do anything beyond taking standard security steps, such as creating strong passwords and keeping them secure.

However, since the Heartbleed bug affects approximately 2/3s of websites, we recommend that you take the following precautions:

  1. Check with the provider of all of your web-based services and accounts. Find out if they are or were vulnerable to the Heartbleed bug.
  2. If your service providers indicate that they were vulnerable but have since fixed the vulnerability, immediately change your passwords.
  3. Consider implementing two-factor authentication as an additional security measure.
  4. Continue to watch your accounts for suspicious activity.

Further Reading

Here is a list of the 100 most popular sites in the US that updates their status courtesy of CNET.

Here is an extensive review of the Heartbleed bug, courtesy of CODENOMICON.

Leave a Reply

Your email address will not be published. Required fields are marked *