Imagine a company with an extremely diligent secretary who carries out instructions perfectly but doesn’t put any thought into it.

Your company provides a remote copying service. Clients mail a form that says, “please copy ten pages” and include ten pages of material. You tell the secretary to take these forms, copy the requested number of pages, and mail the results back.

This works fine. Then one day a clever person wonders what happens if you don’t include all the pages. They mail a form that says “please copy twenty pages” but only include one page. The secretary gets this and handles it like the rest. After the first page, they just keep going. Since no more pages were provided, the secretary just grabs the next page they happened to have lying around on the desk, then the next, etc. They mail the results back the the client, who receives one page copied from their request, and 19 pages copied from random stuff on the desk, including some confidential material sent by other clients. Oops!

This is basically what the Heartbleed vulnerability was. The security update was essentially telling the secretary, “when you get one of those copy forms, don’t copy more pages than were included with the form.”

More broadly, security vulnerabilities happen when someone figures out how to trick the computer into doing something it shouldn’t. Security updates give better instructions to the computer so that trick no longer works.