An Update on the Heartbleed Exploit

William Scalf

William Scalf

Softdocs takes data security seriously. With all the conversation in the media regarding Heartbleed, William Scalf, our Security Architect, has put together a quick overview of the vulnerability and how it relates to Softdocs solutions.

Being Microsoft IIS-based, Softdocs’ web applications are not affected by this exploit. However, we felt the following information would be useful to you and your IT team.

What is Heartbleed?
Heartbleed is a flaw in OpenSSL, a very specific component that can be used to implement SSL, the secure communication protocol represented by the little lock in your browser. This flaw allows a malicious user to steal data out of another machine’s memory, which could include things like passwords, credit card numbers and other sensitive information.

This is a very real, demonstrable threat that should be taken seriously and is further compounded by the fact that the attack doesn’t leave any appreciable footprint, making it very difficult to tell whether or not a particular site has been breached and what might have been leaked.

Whom does it affect?
As a flaw in a low-level component, it affects both the applications that are built on top of it and the people who use them.  Our software, when deployed in accordance with our guidelines (on Microsoft IIS) does not use OpenSSL and is not affected by the Heartbleed bug.

However, you may still be affected by other systems you use on a daily basis. Anything that has been entered into a vulnerable website in the last two years may have been compromised.

What do you need to do?
The important thing to remember is that, while it’s our goal – and every software company’s goal – to prevent breaches, they do happen, and you don’t generally get any advance warning. That’s why recommendations like “don’t use the same password on multiple sites” and “periodically check your servers for suspicious activity” exist. If you’re following those sorts of practices, you’re already ahead of the game. If you’re not, now is a good time to start.

In addition, we encourage you to always apply updates from Microsoft, Oracle, etc. to your servers and desktop workstations as they are released. While some updates are just functional in nature, these days many are related directly to security vulnerabilities and concerns.