What else does Heartbleed threaten a simple user with?

Translator's abstract

My topic should fill a certain gap in the subject “What threatens Heartbleed to a simple user,” thank FFF for the post: habrahabr.ru/post/219151

Customer vulnerability has not been canceled. But if the top payment services react within 24 hours, how long to wait for updates from the manufacturer of the smartphone or, say, “smart” TV ? A bad site can easily gut a client’s memory — an unfinished browser, a smartphone, a tablet, a too-smart TV, a video or gaming console, and so on. Any device that can load web pages (including your home Linux) while processing sensitive data is a goal, and sometimes for many years.
I give you a translation of the whole article by Rob VandenBrink , it didn’t take long.

The Other Side of Heartbleed: Client Vulnerabilities

We are informed about client applications vulnerable to Heatbleed threat. As in the case of server applications, the vulnerability of clients is determined by the version of OpenSSL.
Do you think another case from the “wait for corrections” series? The update will occur when the vendor ... so wait a minute. And when exactly did the manufacturer of your “smart” TV promise to release a fix for the browser built into the TV? And when were you going to install it? What about the TV from my wife's brother? It looks like this client vulnerability will live much longer than all server ones ...
We have an unpleasant combination of the Heartbleed vulnerability with the specifics of embedded (embedded) devices that may never be updated. Either they are updated within a couple of years after the release, and after the release of the new model, the manufacturer simply abandons them. Good examples are home routers and smart TVs, but it could be medical devices.
A very solid addition to the subject is Android devices, which the telecoms operator sells and services bypassing the code manufacturer (Google): these devices have updates either rarely or not at all, but they are widely used. The first thing that usually comes to mind is, of course, banking online applications. As a result, we have a combination of consumer goods and vulnerabilities, which opens its memory to almost any malicious (or hacked) server. This is the potential of a weapon of mass destruction, with a long device life cycle (it turns out years instead of weeks or months).
Other encryption applications that we are not accustomed to consider “clients” include traditional software databases, cloud service clients, special browser software for entertainment portals, even device drivers. It is not enough just to say “such an application is vulnerable”, it can be used on your PC, tablet, smartphone, TV, video box, simulator, refrigerator, climate control - the list is growing and growing further, towards smaller devices, which can be updated surely no one is going.
')
Here are just some of the vulnerable applications (@teleghost: this list has been mentioned many times, slightly supplemented, sources in the links):

• MariaDB 5.5.36 (@teleghost: controversial )
• wget 1.15 (reveals the memory of earlier connections and its state)
• curl 7.36.0
• git 1.9.1 (clone / push checked, weak leakage)
• nginx 1.4.7 (in proxy mode, unlocks the memory of previous requests) (@teleghost: debatable )
• links 2.8 (reveals the contents of previous visits!)
• All KDE applications using KIO (Dolphin, Konqueror)
• AnyConnect for Apple iOS
• Juniper Odyssey 802.1x Client 5.6r5 and later
• Different versions of Junos Pulse VPN Client
• Openvpn
• ...

Conclusion translator

Personally, my opinion is that within a few weeks or months the evil forces will collect fat skins, creams and similar sour cream from payment systems and banking services, and only after that switch to our household level. First, go over everything that we have in one way or another connected with payment cards and paid services. Then, when technology goes hand in hand, they will simply steal passwords from everything in a row. Smart TVs and some models of smartphones are the worst of all, you can wait for updates there for years and never wait.
If earlier I understood that only the NSA can use my smartphone, now it can be any average rogue. Not so funny right?

Take care of yourself.

Links

isc.sans.edu/forums/diary/The+Other+Side+of+Heartbleed+-+Client+Vulnerabilities/17945
security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely
community.openvpn.net/openvpn/wiki/heartbleed