Microsoft Azure and IIS are likely NOT Vulnerable to Heartbleed But You Could Have Introduced Your Own Vulnerabilities

Heartbleed logo

As many are hearing through the news media, Heartbleed is a vulnerability in OpenSSL that allows for a hacker to steal information by reading the memory of systems protected by specific versions of the OpenSSL software.

The reason why the vulnerability is getting so much attention is that OpenSSL is the default SSL implementation for Apache and nginx.  These web servers run the majority of the worlds web servers:

Netcraft server stats

Are Microsoft Web Servers Affected?

Microsoft uses a different implementation of SSL called Secure Channel so if you are running IIS your web server isn’t impacted.  Microsoft Azure itself is not impacted either for the same reason.

Microsoft issued a statement yesterday saying as much and you can find it here.

Could You Still Be Vulnerable?

The answer to the question is absolutely YES, depending on what you have introduced into your infrastructure that uses OpenSSL.  There are a couple scenarios that are clear risks:

  • If you are running a Linux image even if its running within an Azure Virtual Machine, you could still be vulnerable. 
  • If you are running Apache Web Server or nginx even if its on Windows, you could still be vulnerable.
  • If you are running a Java or open source program (either acquired or custom built) that uses the OpenSSL libraries you could still be vulnerable.
  • If you are managing your SSL through your firewall or SSL gateway and its Linux based or uses OpenSSL as its implementation, you could still be vulnerable.

For more details, see Troy Hunt’s excellent article on Heartbleed….