The new flaws were disclosed when a new update for OpenSSL was pushed out the door. The patch is listed as critical and OpenSSL recommends the patch be installed as soon as possible. If you know the corporate world this could still mean that sites and technologies will be vulnerable for days or even weeks as each business validates the patch to ensure that it will not affect other systems.
One of the bugs that affects SSL/TLS looks to be a little more serious and may goad companies to run this patch through much faster. Titled CVE-2014-0224 this little bug affects all clients and servers running version 1.0.1. According to OpenSSL:
“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.”
Now what is very interesting is that this bug has existed since the first release of OpenSSL and is just now being patched. It seems that after Heartblaeed the gang at OpenSSL have deiced to step up their game and review the API to make sure it is actually secure. The fact that they have found multiple critical bugs shortly after Heartbleed is a big deal and should make people think about just how secure some security products and APIs really are…
You can read the advisory here
Tell us what you think in our Forum