Computer threat ‘Heartbleed’ spreads to firewalls and beyond

According to security experts, hackers could crack email systems, security firewalls and possibly mobile phones through the “Heartbleed” computer bug, they also warned that the risks extended beyond just Internet Web servers.

The widespread bug appeared last week, when it was disclosed that a flaw in a widely used Web encryption program known as OpenSSL opened hundreds of thousands of websites to data theft. Developers rushed to fix affected web servers when they disclosed the problem, which affected companies from Amazon.com Inc and Google Inc to Yahoo Inc.

Yet vulnerable OpenSSL codes can still be found in plenty of other places, including email servers, ordinary PCs, phones and even security products such as firewalls. Developers of those products are scrambling to figure out whether they are vulnerable and patch them with updates to keep their users safe.

“I am waiting for a patch,” said Jeff Moss, a security adviser to the U.S. Department of Homeland Security and founder of the Def Con hacking conference. Def Con’s network uses an enterprise firewall from McAfee, which is owned by Intel Corp’s security division.

He said he was frustrated because people had figured out that his email and Web traffic is vulnerable and posted about it on the Internet – but he can’t take steps to remedy the problem until Intel releases a patch.

“Everybody is going through the exact same thing I’m going through, if you are going through a vendor fix,” he said.

An Intel spokesman declined comment, referring Reuters to a company blog that said: “We understand this is a difficult time for businesses as they scramble to update multiple products from multiple vendors in the coming weeks. The McAfee products that use affected versions of OpenSSL are vulnerable and need to be updated.”

It did not say when they would be released.

The Heartbleed vulnerability went undetected for about two years and can be exploited without leaving a trace, so experts and consumers fear attackers may have compromised large numbers of networks without their knowledge.

Companies and government agencies are now rushing to understand which products are vulnerable, then set priorities for fixing them. They are anxious because researchers have observed sophisticated hacking groups conducting scans of the Internet this week in search of vulnerable servers.

Other security experts said that they would avoid using any device with the vulnerable software in it, but that it would take a lot of effort for a hacker to extract useful data from a vulnerable Android phone.