The Application Threat Intelligence Team Members Discuss the Facetime and Heartbleed Updates

November 18, 2014 by Ixia Blog Team

Author: David Avery

The FaceTime vulnerability, introduced in February 2014 through a single line of errant code that allowed attackers to bypass SSL/TLS verification routines, made OS X users vulnerable to a man-in-the-middle attack. Shared wired or wireless networks allowed an attacker to intercept communications on affected machines, acquire sensitive information like login credentials and passwords, or inject harmful malware.

Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library (a widely used implementation of the Transport Layer Security (TLS) protocol). Heartbleed capitalizes on improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension—thus the bug's name. The vulnerability is classified as a buffer over-read, where software allows more data to be read than should be allowed.

Both of these issues were major breaches in that they exploited common and virtually omnipresent OS structures.

Additional Resources:

Ixia BreakingPoint ATI