Results 1 to 1 of 1
-
7th Jun 2014, 03:04 PM #1
OpenSSL Reveals New Major Bug That's Been Around for a Long Time
There’s a new bug in OpenSSL, much to everyone’s dismay, and this one allows attackers to see and modify traffic between an OpenSSL client and an OpenSSL server.
While this may sound terrible, it’s actually nowhere near as bad as Heartbleed was. In fact, the issue is limited because it only affects specific versions of OpenSSL server and you’d need to use the same server software on a client application.
According to the announcement, OpenSSL clients are vulnerable in all versions, but servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1, while users of earlier versions are advised to upgrade as a precaution.
The vulnerability was originally discovered in May by researcher Masashi Kikuchi, and the OpenSSL team has since been developing a patch. The issue could allow an attacker to lower communication security between clients and servers using OpenSSL.
Attacking someone via this vulnerability is quite complicated. The package has to be present on both sides and then the “man-in-the-middle” attack has to be used, where the individual can decrypt and modify traffic from the targeted client and server.
This is good news, because it means that there are a lot of variables that need to align perfectly for such an attack to be possible, which seriously lowers the chances of this happening. It doesn’t mean, however, that it’s impossible.
It is unknown just how many of the applications out there use this security package, but desktop browsers such as Chrome, Firefox, and Internet Explorer should be safe since they don’t use OpenSSL.
On the other hand, it’s unclear whether this vulnerability was exploited and if so, how many times. It looks like the problem has been around for a long time. In fact, according to Adam Lengley, senior staff software engineer at Google, the bug has existed for some 15 years, which indicates that there are some pretty serious implications.
So, if you were planning to be mad about the fact that they took a whole month to issue a patch and make sure that no other security holes were born instead, remember that the vulnerability might have been around for a very long time.
One thing that was made obvious with this new bug report is the fact that more people are looking into OpenSSL and checking it for bugs, which means that it’s getting better and better, which in turn translates into “safer.” The fact that the big tech companies have decided to support the project financially is also quite a good sign.Kepler Reviewed by Kepler on . OpenSSL Reveals New Major Bug That's Been Around for a Long Time http://i1-news.softpedia-static.com/images/news-700/OpenSSL-Reveals-New-Major-Bug-That-s-Been-Around-for-a-Long-Time.jpg There’s a new bug in OpenSSL, much to everyone’s dismay, and this one allows attackers to see and modify traffic between an OpenSSL client and an OpenSSL server. While this may sound terrible, it’s actually nowhere near as bad as Heartbleed was. In fact, the issue is limited because it only affects specific versions of OpenSSL server and you’d need to use the same Rating: 5
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
New but not that new
By moxsi in forum IntroductionsReplies: 3Last Post: 11th Jul 2012, 09:14 PM -
Google reveals new YouTube update for Google TV
By ShareShiz in forum News & Current EventsReplies: 1Last Post: 13th Feb 2012, 11:01 AM -
A New Study Shows That iOS Apps Crash More Often Than Android Apps
By Bharat in forum News & Current EventsReplies: 5Last Post: 8th Feb 2012, 06:09 PM -
New DDL site that I submit to.
By ddlshack in forum Webmaster ResourcesReplies: 11Last Post: 1st Jun 2010, 10:31 AM
themaPoster - post to forums and...
Version 5.22 released. Open older version (or...