Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On 2014-04-14, Richard Hector <firstname.lastname@example.org> wrote:
> This one, on the other hand, was generally not predicted, and was widely
> exploited before people got a chance to fix it. That's presumably still
> going on.
Possible exploitation prior to disclosure
Many major web sites patched or disabled the bug within days of
its announcement, but it is unclear whether potential attackers were aware of
it earlier and to what extent it was exploited. Based on examinations of audit logs
by researchers, it has been reported that some attackers may have exploited the
flaw for at least five months before discovery and announcement. Errata
Security has partially rejected this hypothesis, whereas the Department of
Homeland Security believes that as of April 11, "there have not been any reported
attacks or malicious incidents involving this particular vulnerability confirmed".