Just as the furor over Heartbleed bug seemed to be dying down a bit, and analysts were beginning to issue statements about what it taught us about security, new flaws have been discovered in the same OpenSSL web encryption software.
An article in the Globe and Mail Technology section says that while the newly discovered problems don’t seem to be as serious as the Heartbleed bug, they could allow hackers to intercept communications or run code on vulnerable systems if not patched immediately.
At the end of last week, The OpenSSL Project released a security advisory about the six newly discovered flaws and provided security fixes. The OpenSSL Project is a global, volunteer-run organization that promotes and develops the use of open source tools implementing the Secure Sockets Layer protocol, as well as encryption resources.
While the updates should be installed as quickly as possible, organizations running versions of OpenSSL that contain the vulnerabilities still need to test their systems to make sure they’re compatible with the update, a process that could take a week or longer.
The most serious flaw, called CVE-2014-1224, could enable hackers to execute a “man-in-the-middle” (MTM) attack, decrypt and modify traffic from the attacked client and server. The most likely situation would be intercepting the communications of a user accessing the internet at a public WiFi hotspot without using a VPN.
“The attack can only be performed between a vulnerable client and server,” the security advisory says (emphasis in the original). “OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.”
The hacks that could be used to exploit the newly discovered vulnerabilities are more difficult to execute than the ones that exploited the Heartbleed flaw. And the most widely used web browsers, such as Internet Explorer, Chrome, Safari and Firefox, don’t use OpenSSL so they are not at risk. But software that does implement SSL is widely used in other applications. Security experts say we can expect a run of updates for smart phones and desktop applications soon.