New OpenSSL Bug is More Heartburn than Heartbleed

Only three months after uncovering the Heartbleed bug, two new data security threats were discovered in the same OpenSSL software package used to encrypt the majority of web communications. Although not as dangerous as Heartbleed, security experts warn these new bugs still present windows of opportunity for hackers and should be taken seriously.

OpenSSL uses encryption methods to protect a variety of online communication systems. Nearly two-thirds of websites and use OpenSSL, along with thousands of popular technology products, including those made and/or operated by some of the largest companies in the world. Heartbleed created an opening for anyone to directly attack servers using OpenSSL, allowing criminals to steal passwords, private communications and even credit card information without a trace.

Although the recently discovered bugs do not allow as much open access to information as Heartbleed, they permit thieves to spy on communications between two computers. After diverting a user's connection before it becomes secure, thieves then inject a command that fools users into submitting password information into an unsecured, public connection, thinking they are on a private, secure site.

The good news is these new security flaws are more difficult to exploit than Heartbleed; they not only require a middleman, but can only be used when both ends of a connection are running OpenSSL. Because most browsers use SSL implementations other than OpenSSL, they are not affected by these new bugs. Android web clients and servers running more recent SSL versions, on the other hand, are more likely to use vulnerable code, as are many virtual private networks containing sensitive information.

A patch has been issued and all OpenSSL users are advised to update their systems as quickly as possible. While companies test their systems for compatibility with the update, measures should be taken to ensure information is secure.

Effective information-security programs encompass a range of measures to prevent and manage security threats like Heartbleed, including upgrading security software and IT structures and implementing training for all personnel.

[View source.]


Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WeComply, a Thomson Reuters business | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.