This bug would have been utterly trivial to detect when introduced had the OpenSSL developers bothered testing with a normal malloc (not even a security focused malloc, just one that frees memory every now and again). Instead, it lay dormant for years until I went looking for a way to disable their Heartbleed accelerating custom allocator.
it's a very good read.
Conclusion
It is quite obvious in light of the recent revelations from Snowden that this weakness was introduced by purpose by the NSA. It is very elegant and leaks its complete internal state in only 32 bytes of output, which is very impressive knowing it takes 32 bytes of input as a seed.
Here is the Github repo for the PoC code.
This PRNG is not the NSA making a crypto system stronger ala DES, it's a backdoor.
"Just think, with VLSI we can have 100 ENIACS on a chip!" -- Alan Perlis