Only three months after uncovering the Heartbleed bug, two new data security threats were discovered in the same OpenSSL software package used to encrypt the majority of web communications. Although not as dangerous as Heartbleed, security experts warn these new bugs still present windows of opportunity for hackers and should be taken seriously.
OpenSSL uses encryption methods to protect a variety of online communication systems. Nearly two-thirds of websites and use OpenSSL, along with thousands of popular technology products, including those made and/or operated by some of the largest companies in the world. Heartbleed created an opening for anyone to directly attack servers using OpenSSL, allowing criminals to steal passwords, private communications and even credit card information without a trace.
Although the recently discovered bugs do not allow as much open access to information as Heartbleed, they permit thieves to spy on communications between two computers. After diverting a user's connection before it becomes secure, thieves then inject a command that fools users into submitting password information into an unsecured, public connection, thinking they are on a private, secure site.
The good news is these new security flaws are more difficult to exploit than Heartbleed; they not only require a middleman, but can only be used when both ends of a connection are running OpenSSL. Because most browsers use SSL implementations other than OpenSSL, they are not affected by these new bugs. Android web clients and servers running more recent SSL versions, on the other hand, are more likely to use vulnerable code, as are many virtual private networks containing sensitive information.
A patch has been issued and all OpenSSL users are advised to update their systems as quickly as possible. While companies test their systems for compatibility with the update, measures should be taken to ensure information is secure.
Effective information-security programs encompass a range of measures to prevent and manage security threats like Heartbleed, including upgrading security software and IT structures and implementing training for all personnel.