New OpenSSL Bug is More Heartburn than Heartbleed

Only three months after uncovering the Heartbleed bug, two new data security threats were discovered in the same OpenSSL software package used to encrypt the majority of web communications. Although not as dangerous as Heartbleed, security experts warn these new bugs still present windows of opportunity for hackers and should be taken seriously.

OpenSSL uses encryption methods to protect a variety of online communication systems. Nearly two-thirds of websites and use OpenSSL, along with thousands of popular technology products, including those made and/or operated by some of the largest companies in the world. Heartbleed created an opening for anyone to directly attack servers using OpenSSL, allowing criminals to steal passwords, private communications and even credit card information without a trace.

Although the recently discovered bugs do not allow as much open access to information as Heartbleed, they permit thieves to spy on communications between two computers. After diverting a user's connection before it becomes secure, thieves then inject a command that fools users into submitting password information into an unsecured, public connection, thinking they are on a private, secure site.

The good news is these new security flaws are more difficult to exploit than Heartbleed; they not only require a middleman, but can only be used when both ends of a connection are running OpenSSL. Because most browsers use SSL implementations other than OpenSSL, they are not affected by these new bugs. Android web clients and servers running more recent SSL versions, on the other hand, are more likely to use vulnerable code, as are many virtual private networks containing sensitive information.

A patch has been issued and all OpenSSL users are advised to update their systems as quickly as possible. While companies test their systems for compatibility with the update, measures should be taken to ensure information is secure.

Effective information-security programs encompass a range of measures to prevent and manage security threats like Heartbleed, including upgrading security software and IT structures and implementing training for all personnel.

[View source.]


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomson Reuters Compliance Learning | Attorney Advertising

Written by:


Thomson Reuters Compliance Learning on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.