OpenSSL Delivers Patch To Fix Critical Vulnerability

OpenSSL has been updated to address a single ‘high severity’ vulnerability found in OpenSSL 1.0.1 and 1.0.2.

And the good news is that there are no reports of the vulnerability being publicly exploited.

Heartbleed Rerun?

OpenSSL is an open source technology used by many websites and applications to protect customer data. It made the headlines last year following the discovery of the infamous ‘Heartbleed’ bug that could allow an attacker to acquire encryption keys from web servers, and OpenSSL was forced to quickly issue a patch.

But the new vulnerability concerns those users who upgraded to OpenSSL 1.0.1 and 1.0.2 in June.

According to Threatpost, the vulnerability could allow an attacker with an untrusted TLS certificate to be treated as a certificate authority (CA) and spoof another website. This could allow an attacker for example to redirect traffic, set up man-in-the-middle attacks, phishing schemes and other scenarios that compromises encrypted traffic.

“It’s a bad bug, but only affects anyone who installed the release from June,” Rich Salz, a member of the OpenSSL development team was quoted as saying by Threatpost. “The bug was introduced during that update and affected relatively few organisations. “It’s a bad bug, but the impact is low. We haven’t heard any reports of it being used in production.”

Funding Problem?

Vulnerabilities like this tend to cast the collective spotlight on the lack of funding received by developers of widely used open source technologies.

Earlier this year, researchers at SourceDNA found the bug in version 2.5.2 of AFNetworking, a library used by many iOS and Mac OSX developers for networking functions. It was feared that as many as 25,000 iOS apps were vulnerable to man-in-the-middle attacks capable of stealing user data through the use of freely available SSL certificates.

Those vulnerabilities highlight the fact that many open source technologies, whilst widely used, do not receive funding in line with their importance.

Commercial organisations for example tend to have large security teams and they offer “bug bounties” schemes that deliver financial rewards for the discovery of bugs and vulnerabilities in their products.

How well do you know open source software? Take our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

3 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

4 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

4 days ago