Windows Server 2012 R2 and IIS affected by Heartbleed exploit? [closed]
"OpenSSL 1.01 — the one production version affected — had been shipping since March 12, 2012"
Does this (above) mean that a Windows 2012 R2 server we ordered a month ago, now running HTTPS sites in IIS, is vulnerable to Heartbleed attacks?
I've read a post that suggests checking if your server is vulnerable, by using this site http://filippo.io/Heartbleed/ , but it's probably taking a ton of hits right now, as it's not responding.
Solution 1:
IIS is not vulnerable as it does not use the OpenSSL library
Update, quote Troy Hunt:
Not all web servers are dependent on OpenSSL. IIS, for example, uses Microsoft’s SChannel implementation which is not at risk of this bug. Does that mean that sites on IIS are not vulnerable to Heartbleed? For the most part, yes, but don’t get too cocky because OpenSSL may still be present within the server farm.
More info here - http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html
Update 2:
Microsoft blog post on IIS and Heartbleed: http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
Solution 2:
I've just used http://filippo.io/Heartbleed/ to scan a website we host on Win 2008 IIS7 - SSL is being terminated on the windows server directly (no load balancing device with SSL offloading in between) - it's being reported as vulnerable. Similar tests of websites hosted on Win 2012 with IIS8 don't have the same result (does not show as vulnerable).
Edit (added link to MS forum): http://social.technet.microsoft.com/Forums/en-US/93a24775-6f62-4690-8c86-3652b74c1b4f/openssl-vulnerability?forum=Forefrontedgegeneral