OPENSSL, the encryption software product that brought Heartbleed into the world, has been found to have yet another vulnerability.
For the second time this week, OpenSSL has issued a bulletin for a vulnerability in its source code that has had to be patched.
In this particular case, a "Man In The Middle" attack can exploit a vulnerability created by the use of what OpenSSL described as a "carefully crafted handshake".
This is distinct from yesterday's bulletin, which was about an "overly-long handshake" caused by an GnuTLS exploit, though "overly-long" and "carefully crafted" handshakes are somewhat reminiscent of freemasonry.
Because both the client and server need to have the vulnerability before a hacker can intervene in the middle and exploit it, there would have to be a deliberate effort to exploit it, however it remains yet another security bug that has had to be patched in an embarassing week for the widely used SSL protocol.
Details about patched versions of the OpenSSL software packages are included in the bulletin.
Whether the rapid discovery of several major flaws in the OpenSSL source code is due to moral panic, increased interest from the white hat hacking community or the result of the industry's recent financial commitment to avoiding "Heartbleed 2" remains to be seen.
Recently the Core Infrastructure Initiative (CII) formed and managed by The Linux Foundation in the wake of the Heartbleed discovery confirmed that it will fund two full-time developer posts and a continuous audit of the code. The CII counts Microsoft, Google, and Apple among its membership, in a rare show of IT industry solidarity. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted