Researchers have reported a critical vulnerability in recent versions of OpenSSL which is used to secure numerous websites. This vulnerability has been assigned CVE identifier CVE-2014-0160 and is also known as the “Heartbleed Bug.” Exploitation can expose a website's secret keys, usernames and passwords of site users as well as other confidential information. [more]

This affects systems using OpenSSL versions 1.0.1 through 1.0.1f. Note this also includes numerous appliances used to terminate SSL connections used in Virtual Private Networks, secure email solutions, etc. Thus, even if you are only using unaffected Microsoft web servers, you may need to address these other types of appliances and embedded systems.

The Qualys SSL Labs scanning service available at https://www.ssllabs.com/ssltest/ can be used to determine if a particular site exhibits this vulnerability.

Additional information is available at http://heartbleed.com.

We recommend you work with appropriate vendors to identify vulnerable systems and apply the appropriate patches as soon as possible.