Security Advisor

New OpenSSL Encryption Flaw Found, Fix Now Available

The vulnerability has been discovered out of the wake of the Heartbleed bug disclosure.

The OpenSSL Foundation released an advisory today that urges those that use the online encryption protocol OpenSSL to update their client due to a critical flaw that was recently discovered.

According to the group, the flaw, which was discovered by Japanese researcher Masashi Kikuch, could allow an attacker to acquire and decrypt encrypted traffic traveling between a targeted PC and a server.

"An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers," read the advisory. "This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server."

Today's disclosure and fix marks the second major issue with the Linux-based open source standard, used in more than half the active sites on the Internet, since the April discovery of the Heartbleed bug. However, unlike the previous vulnerability that could allow for unauthorized access and decryption of private online data from any point, today's vulnerability would be much harder to exploit due to having to be physically located somewhere between the PC sending data and the server receiving the encrypted data.

Another factor that limits the attack radius is that both ends of the connection (PC and server) must be running OpenSSL. While a majority of online servers do implement the open source encryption technology, most Web browsers don't.

"In most of our typical communication (browser Web server) we do not have two machines running OpenSSL, because the browser uses a different SSL library," said Wolfgang Kandek, CTO of security firm Qualys, Inc., in an e-mailed statement. "So while there are certainly situations where OpenSSL talks to OpenSSL, for example in command line tools, server to server communication and also in Android browsers (Chrome and native), which use OpenSSL, the conditions necessary for exploitation are quite a bit harder to find."

The discovery of the flaw, which affects those running OpenSSL versions 0.9.8, 1.0.0 and 1.0.1, could have stayed hidden if it wasn't for Heartbleed's widespread exposure months ago. According to discoverer Kikuch, the flaw has been around since the technology was available in 1998. However, by investigating Heartbleed further, and searching for any related vulnerabilities, the latest OpenSSL flaw was found, Kikuch discussed in a blog post detailing the vulnerability.

While today's flaw doesn't provide as gaping of a hole for attackers to exploit as Heartbleed, its total alleviation will be just as hard to pull off due to the overwhelming number of online servers that use OpenSSL. As for what end users can do to stay protected, avoid using any Web browser that implements the open source encryption tool.  

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.