The World Wide Web security flaw known as Heartbleed has been found in the hardware made by Cisco Systems Inc. (NASDAQ: CSCO) and Juniper Networks Inc. (NYSE: JNPR). This discovery will be much harder and take much longer to fix than the earlier manifestations of the bug found on many websites.
Heartbleed is a hole in the design of OpenSSL, an open-source encryption tool used by nearly two-thirds of all websites and servers. The flaw allows an attacker to pull data off a target machine, including information from users’ machines that may include passwords and other private information.
Juniper Systems has already issued a patch for the company’s vulnerable virtual private networks (VPN) products. According to the company, “A subset of Juniper’s products were affected including certain versions of our SSL VPN software, which presents the most critical concern for customers.” Cisco had not issued any patches as of Thursday night and has encouraged customers to check the company’s websites for updates.
Major Internet sites like Yahoo!, Amazon and Netflix were able to fix the bug very soon after it was found on Monday. But small and medium-size businesses will have to fix the problem in all their routers, switches and firewalls. This will take more time and expense and may not happen at all. One security research told The Wall Street Journal, “The upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy.”
Even that may not prevent businesses from having to apply the proper patch, however, because the gear on store shelves probably has been there since before the bug was discovered.
Investors are behaving as if Heartbleed is a good thing for network gear makers. Juniper’s shares are down about 2% through Thursday nights close, but up about 0.25% in early trading Friday morning. Cisco’s shares are up 1.3% Friday morning, erasing losses posted earlier this week and showing a gain of around 0.8% for the week.