Why wasn't heartbleed fixed before?

Question

From what I read at heartbleed.com

"...Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."

So what took them so long for it to be fixed ? Most importantly, how come any of the sites like Yahoo/Github did not know about the patch before 1.0.1g was released ?

I find it very uncomfortable that OpenSSL patches it first, then everyone is fumbling to apply the patch while the vulnerability is being exploited.

Answer 1

You cannot fix the bug until you find it.

As the question "Who found the Heartbleed Bug?" in heartbleed.com:

This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Codenomicon team found heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.

So it is discovered recently, although the bug exist for many years.

Answer 2

When you look at source code, it can be very difficult to spot all errors.

The source is a description of what the program does, but not how. If a developer makes a mistake, it might not be obvious that he has done so, or even that it's a mistake, if it doesn't affect the apparent functionality of the program

To make sure that there are no vulnerabilities, the code needs to be reviewed for bugs. This takes people who understand what the program is supposed to be doing (in this case implementing a TLS heartbeat) to read the source code and perform tests on the program, which takes time and money. The OpenSSL team does not have the capacity to search for every potential bug, especially since it is made of volunteers. It's for this reason that the bug went unnoticed. It was only after a security researcher at Google reviewed OpenSSL was the vulnerability discovered and patched.

You need the abillity to find bugs to be able to fix them.

One a patch is released, there is always a window between when the patch is released, and when it is applied by users. Attackers have the ability to attack users in that window since they are still vulnerable. This is the same with all software.

Answer 3

Exploits and loopholes exist in everything from medical devices to telephones and it's only once these devices are pushed into production and pushed to the extremes that these holes are discovered.

If you want to go down the mathematical route it's an exponential curve where you take a simple requirement for a product and add to it. As you add more complexity, you introduce more chances for security holes and exploits. The easiest way to think about it all is not exploits, bugs and other but rather just unintended operations.

Testing for every possible interaction and circumstance is almost impossible so a business or organisation (or indeed, individual) will do an acceptable amount of testing but may never find all the bugs. This is true for more than just software of course. Manufacturer recalls are a great example.

tl;dr

Exploits exist everywhere and there isn't any conspiracy theory or bad call as to why they haven't been fixed. Sometimes it takes longer to find these issues as they only happen under specific circumstances that generally can't be planned for beforehand. Our only hope is that the person or group who finds it, reports it to the right people.