A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords. Forbes cybersecurity columnist Joseph Steinberg wrote, “Some might argue that Heartbleed is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.”
Despite the media hype about this vulnerability, it is worth calling out the facts. Not all Fortinet products were impacted by this bug. In fact, many of our products, such as our FortiWeb (WAF) products, were immune from day one.
Within hours of the discovery, FortiGuard Labs product security (PSIRT) and security research teams began developing protections and releasing patches for a variety of Fortinet products. Fortinet’s industry-leading security and threat researchers are well prepared to react to and protect our customers from threats such as Heartbleed, thanks to our existing critical update process. This process has been in place for nearly a decade. Our team is well equipped to analyze, develop, deploy and refactor critical IPS signatures within 48 hours of any breaking attack.