Organizations around the world are still licking their wounds inflicted by the Heartbleed bug but researchers have found yet another dangerous flaw in the widely used OpenSSL encryption protocol.
The OpenSSL Foundation published an advisory on Thursday urging users to update their SSL again to fix a bug in the software which could allow hackers to spy on communications.
The non-profit group, whose encryption protocol is used by the majority of Web servers, released a patch to the flaw which is believed to have remained unknown for about a decade, until now.
“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers,” a post on the organization’s site said. “This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.”
The advisory said the attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSl, but servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1, the advisory said. Users of OpenSSL servers earlier than 1.0.1 were advised to upgrade as a precaution.
The issue was discovered by Kikuchi Masashi of Japanese computer software firm Lepidum Co. Ltd., who reported it to the foundation on May 1. The fix was developed by Stephen Henson of the OpenSSL core team “partly based on an original patch from Masashi.
Two months ago when the Heartbleed began grabbing all the headlines, it was estimated that more than 70 per cent of Web sites were affected by the vulnerability, which could allow hackers to grab control of users’ machines.
Even the Canada Revenue Agency was forced to shut down its Web site at the height of tax season.
Heartbleed is a flaw in older versions of OpenSSL, a software that enables encrypted communications between web services and computers. The vulnerability has great potential for creating trouble because OpenSSL is widely used in operating systems, routers and networking equipment.