2014
04.10

In case you have been hiding under an IT rock, the world of the Internet has been rocked by a vulnerability found in the widely used OpenSSL. MVP Troy Hunt has a good description of the vulnerability here.

The list of known vulnerable sites is a who’s who of the Internet. Interestingly, servers that run on Windows Server and use the native SSL features of IIS are not affected. Note that Windows Server and System Center use native IIS functionality. Microsoft has also confirmed that Azure is also not susceptible to this attack.

Hmmm, who else is out there that might be vulnerable? Who do many claim is more secure, but really they’ve been found lacking? Who had a breakout attack (maybe more than one)? Who had a weakness in the design of their virtual storage that allows a guest OS admin to read files (passwords) from the host? Which other virtualization company is susceptible to Heartbleed?

Hmm, would it be …

VMware?

Yup, if you have a recent product from VMware then your virtualization or cloud is vulnerable to attack. Got a public cloud based on vSphere? You are probably vulnerable.

The lesson here is simple: Building alleged enterprise-class software where no-one is responsible for trustworthy computing reviews is negligent. Who reviewed that code?

Now tell me that Microsoft makes insecure software … penguin lovers! Stick your hands up so we can send the men with nets after you conspiracy theorists or your bosses can identify the weak links in their IT departments.

Technorati Tags: ,

4 comments so far

Add Your Comment
  1. If the code written for MS software has been reviewed, why do we have something called “Patch Tuesday”? Hmm, interesting.

    • Classic response by the ignorant vFanboy :) I knew someone would be stupid enough to stick their head over the wall on this classic one. I guess VMware never has to release 650+ MB “patches” to resolve security issues? https://www.vmware.com/patchmgr/findPatch.portal. Wait? You don’t patch because you cannot afford whatever high end version of vSphere that only includes automated patching? Awwww :) And I guess the above linked security issues in VMware software were not factual either? Get real, boy.

  2. an enjoyable read!

  3. Someone must have had the courage to say this :-) Great post. Thanks. Came around here by looking for some backround information to SCVMM 2012.

Get Adobe Flash player