OpenSSL flaw is scary but it's no Heartbleed

The recently discovered and fixed OpenSSL flaw needs serious attention and researchers say that it could be even more dangerous than Heartbleed.

Japanese IT consulting company Lepidum's researcher Masashi Kikuchi discovered the bug in early June this year and says that the vulnerability has been present in OpenSSL for over 16 years.

"The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem," explains Kikuchi.

OpenSSL is expected to protect people's data on the Internet. However, in April this year, researchers found Heartbleed, a security bug, that affected a large number of Internet users. It's just been two months and researchers have found another OpenSSL security flaw.

According to The Guardian, the latest OpenSSL flaw may be even more dangerous than Heartbleed as it can intercept people's communications. The latest discovered vulnerability by Kikuchi is said to affect all PC as well as mobile software that use OpenSSL builds that precedes OpenSSL 1.0.1 and beta version of OpenSSL 1.0.2. Fixes for the vulnerability has been issued by OpenSSL. Security experts say that Chrome for Desktop and iOS, Firefox, Safari and a few more clients are not affected with the vulnerability.

However, all OpenSSL users who either using the OpenSSL 1.0.1 or previous builds are advised to install a fix so that they are not affected by the bug.

The latest discovered vulnerability can allow a hacker using a public Wi-Fi network to exploit the OpenSSL bug and intercept passwords, usernames and other confidential data such as credit card details from others who are on the same network. The hackers can exploit OpenSSL and also alter data received and sent by other users on the network. Tatsuya Hayashi, a researcher with Lepidum security says that victims of the latest OpenSSL vulnerability will not even be able to detect any "trace of the attacks."

Nick Percoco, vice president of strategic services from security firm Rapid7 says that fixing the latest flaw will be more difficult than what it was for Heartbleed. Percoco says that Heartbleed only affected OpenSSL versions that are just about two years old. However, the latest issue goes back to 1998 when Open SSL was first released.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics