Heartbleed on Windows… eh oh. Though your heart may go out to those losing support on Windows XP, it does not mean they are particularly vulnerable to Heartbleed.
What is Heartbleed?
First off, it is NOT a virus, it is flaw/coding error in OpenSSL he open-source encryption protocol used by many websites and other servers. It’s used for things like websites where the HTTP: is changed to HTTPS: and you get a little security lock icon on many browsers to show this is a secure site.
This vulnerable version of OpenSSL has been out for about 2 years.
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
This bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Can I know if a site was hacked?
This is what is so insidious about heartbleed is that it leaves no trace. So a site could have been hacked and no trace would be left about it.
Is my Windows XP or other Windows desktop or server affected?
Probably not. Though the Heartbleed was announced just after the end of support for windows XP, Microsoft does not use OpenSSL. Microsoft uses their own encryption component called Secure Channel (aka SChannel). So unless you installed something for your web services that uses OpenSSL your computer should be fine (IIS is unaffected).
This applies to all Windows operating systems and IIS versions, up to and including IIS 8.5 running on any of the following operating systems:
• Windows Server 2003 and 2003R2
• Windows Server 2008
• Windows Server 2008R2
• Windows Server 2012
• Windows Server 2012R2
If you installed something like Apache on Windows you should look to the support website for the software installed.
So what should I do?
You should change passwords everywhere, EXCEPT on affected sites or services that haven’t patched the hole yet. However, be sure that once they have updated their software that you change it on these as well.
You should also check your credit, account statements and other online activity to make sure no unauthorized entries appear.