New SQLyog and MONyog coming – please upgrade soon!

by Apr 11, 2014

We are about to release upgrades to both SQLyog and MONyog with an important fix: linked libraries possibly vulnerable to the 'Heartbleed' OpenSSL bug have been upgraded to non-affected versions (the new MONyog release will have a few more fixes as well).

Since this security issue became known a few days ago, media and Internet have swollen with information about vulnerable systems. There is probably both a lot of facts and fiction circulating.

A good summary appeared in the Percona blog. It mostly focuses on server-side vulnerabilities. However this blog indicates that the vulnerability may also be exploitable from clients linking a vulnerable OpenSSL version. SQLyog and MONyog users should note that SSH/SSH-tunneling is not affected. But SSL-connections in both programs as well as HTTPS-tunneling with SQLyog may theoretically be indirectly exploitable.

(and as a sideremark: also router firmware and similar systems may be affected. It has also been reported – but not finally confirmed, I think – that Android 'Jelly Beans' (at least) has the vulnerability deep down in the OS. Several online services don't know yet if they are vulnerable (this includes my own netbank). It will take weeks or months before we know what implications this bug has, has had and may have in the future.)

Now, what is the risk? Till now it is 'low' or 'very low'. There is no known exploit. If the vulnerability has already been exploited, it has been by very professional people or organizations who kept the information private. Also it is non-trivial to create a usable exploit (in a client in particular, I believe) and it is definitely not something every teenage hacker does overnight. But now, when the vulnerability is known, the toolkits used by malicious hackers will probably soon include tools that may be used to build an exploit.

So we recommend that you upgrade as soon as possible. This blog will soon announce the SQLyog and MONyog updates and also 'upgrade check' from inside the programs will announce the new versions.