The Inquirer-Home

OpenSSL receives nine post-Heartbleed critical bug fixes

The CII coding boys are earning their keep
Thu Aug 07 2014, 15:44
Security threats - password theft

OPENSSL, the web security layer at the centre of the Heartbleed vulnerability, has been updated with a further nine critical patches.

While none of the flaws are as serious as Heartbleed, patching is recommended for all users according to an advisory released today. The vulnerabilities were found by various security research teams around the web including Google, Logmein and Codenomicom, based on their reports during June and July.

Among the more interesting fixes is one that involves a flaw in the Client Hello message process. If a Client Hello message is badly fragmented, it is vulnerable to a man in the middle attack that could be used to force the server to downgrade to the TLS 1.0 protocol, a 15-year-old and therefore pre-Heartbleed protocol variant.

Other reports include memory leaks caused by denial of service (DoS) attacks and crashes caused by attempts to free up the same portions of memory twice.

OpenSSL now has two full time coders as a result of the investment by a consortium of internet industry companies in the Core Infrastructure Initiative, a not for profit group administered by the Linux Foundation. The initiative was set up in the wake of discovery of the Heartbleed vulnerability, as the industry vowed to ensure such a large hole would never be left unplugged again.

While OpenSSL is used by a large number of encrypted websites, there are a number of forks of the project including LibreSSL and the recently launched Google BoringSSL.

Google recently announced that it will lower the page rankings of unencrypted pages in its search results as an added security measure. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015