Security Advisor

New OpenSSL Encryption Flaw Found, Fix Now Available

The vulnerability has been discovered out of the wake of the Heartbleed bug disclosure.

The OpenSSL Foundation released an advisory today that urges those that use the online encryption protocol OpenSSL to update their client due to a critical flaw that was recently discovered.

According to the group, the flaw, which was discovered by Japanese researcher Masashi Kikuch, could allow an attacker to acquire and decrypt encrypted traffic traveling between a targeted PC and a server.

"An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers," read the advisory. "This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server."

Today's disclosure and fix marks the second major issue with the Linux-based open source standard, used in more than half the active sites on the Internet, since the April discovery of the Heartbleed bug. However, unlike the previous vulnerability that could allow for unauthorized access and decryption of private online data from any point, today's vulnerability would be much harder to exploit due to having to be physically located somewhere between the PC sending data and the server receiving the encrypted data.

Another factor that limits the attack radius is that both ends of the connection (PC and server) must be running OpenSSL. While a majority of online servers do implement the open source encryption technology, most Web browsers don't.

"In most of our typical communication (browser Web server) we do not have two machines running OpenSSL, because the browser uses a different SSL library," said Wolfgang Kandek, CTO of security firm Qualys, Inc., in an e-mailed statement. "So while there are certainly situations where OpenSSL talks to OpenSSL, for example in command line tools, server to server communication and also in Android browsers (Chrome and native), which use OpenSSL, the conditions necessary for exploitation are quite a bit harder to find."

The discovery of the flaw, which affects those running OpenSSL versions 0.9.8, 1.0.0 and 1.0.1, could have stayed hidden if it wasn't for Heartbleed's widespread exposure months ago. According to discoverer Kikuch, the flaw has been around since the technology was available in 1998. However, by investigating Heartbleed further, and searching for any related vulnerabilities, the latest OpenSSL flaw was found, Kikuch discussed in a blog post detailing the vulnerability.

While today's flaw doesn't provide as gaping of a hole for attackers to exploit as Heartbleed, its total alleviation will be just as hard to pull off due to the overwhelming number of online servers that use OpenSSL. As for what end users can do to stay protected, avoid using any Web browser that implements the open source encryption tool.  

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.