The Inquirer-Home

OpenSSL yields yet another vulnerability

'I Got You Babe' is playing on the radio
Fri Jun 06 2014, 15:16
Concept image representing virus malware

OPENSSL, the encryption software product that brought Heartbleed into the world, has been found to have yet another vulnerability.

For the second time this week, OpenSSL has issued a bulletin for a vulnerability in its source code that has had to be patched.

In this particular case, a "Man In The Middle" attack can exploit a vulnerability created by the use of what OpenSSL described as a "carefully crafted handshake".

This is distinct from yesterday's bulletin, which was about an "overly-long handshake" caused by an GnuTLS exploit, though "overly-long" and "carefully crafted" handshakes are somewhat reminiscent of freemasonry.

Because both the client and server need to have the vulnerability before a hacker can intervene in the middle and exploit it, there would have to be a deliberate effort to exploit it, however it remains yet another security bug that has had to be patched in an embarassing week for the widely used SSL protocol.

Details about patched versions of the OpenSSL software packages are included in the bulletin.

Whether the rapid discovery of several major flaws in the OpenSSL source code is due to moral panic, increased interest from the white hat hacking community or the result of the industry's recent financial commitment to avoiding "Heartbleed 2" remains to be seen.

Recently the Core Infrastructure Initiative (CII) formed and managed by The Linux Foundation in the wake of the Heartbleed discovery confirmed that it will fund two full-time developer posts and a continuous audit of the code. The CII counts Microsoft, Google, and Apple among its membership, in a rare show of IT industry solidarity. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015