but it is unclear whether potential attackers were aware of it earlier and to what extent it was exploited.
Based on examinations of audit logs by researchers, it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement.
Version 1.0.1g of Open SSL adds some bounds checks to prevent the buffer over-read.
For example, the following test was introduced to determine whether a heartbeat request would trigger Heartbleed; it silently discards malicious requests.
Heartbleed is therefore exploited by sending a malformed heartbeat request with a small payload and large length field to the vulnerable party (usually a server) in order to elicit the victim's response, permitting attackers to read up to 64 kilobytes of the victim's memory that was likely to have been used previously by Open SSL.