openssl heartbleed
June 6, 2014

New Critical Weaknesses Uncovered In OpenSSL Encryption

Peter Suciu for - Your Universe Online

This week, new security holes were reportedly uncovered in the same software that was responsible for the insidious "Heartbleed" bug, which may have left as many as 500,000 websites vulnerable to attacks in April.

While the newly discovered bugs are not believed to be as serious as the Heartbleed bug, and could be harder to exploit by hackers, the problem continues to affect OpenSSL – which is used by many tech companies including Google, Facebook, Yahoo and Amazon.

The new bugs were disclosed on Thursday, and these latest vulnerabilities were found as various researchers sought to close Heartbleed. Many of the big firms that used OpenSSL have pledged money to smaller organizations that developed SSL to help improve the bug finding and fixing efforts BBC News reported. While patching the past vulnerability new exploits were discovered.

Security experts have warned that all websites and technology firms that currently utilize OpenSSL should install updates to patch the systems. As with Heartbleed, this could take days or even weeks as firms will have to run tests to ensure that the patches are compatible with their systems.

"They are going to have to patch. This will take some time," Lee Weiner, senior vice president with cybersecurity software maker Rapid7, told Reuters.

However, other security experts think the problem could be much deeper than is being currently reported. Security researcher Tatsuya Hayashi, who helped find one of the critical bugs this week, told The Guardian that these latest flaws could be "more dangerous than Heartbleed."

Part of the reason is that the bug is buried so deeply in the code. It may have been introduced in 1998 and yet over the years was missed by both paid and volunteer developers for 16 years. Thus it could be hard to root out. This vulnerability could also affect all PCs and mobile software that rely on OpenSSL prior to the latest version – and is also believed to include the Chrome browser on Android phones, as well as servers running OpenSSL 1.0.1 and the beta version 1.0.2.

"The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," said security researcher Masahi Kikuchi, who also helped find what is now known as the CCS Injection Vulnerability. "If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem."

Fixing these holes could be far bigger than Heartbleed Nick Percoco, vice president of strategic services from Rapid7 told The Guardian.

"From a remediation standpoint it is actually worse for organizations running OpenSSL on the server side. Heartbleed only affected versions back about two years," he said. "This issue goes back to the first release of OpenSSL in 1998. That means there were likely many people running version that were not affected by Heartbleed that didn’t patch last time."

The sky is not falling, however, and it is too early to truly panic was the take of James Lyne, writing for Forbes on Thursday.

"All software has defects and the reporting of such a large group of vulnerabilities is actually reassuring," Lyne wrote. "During the Heartbleed saga we learned that the team responsible for maintaining this crucial code is surprisingly small, underfunded and the code under-reviewed."

To that end he suggested: "Make sure your organization has a plan to patch these defects to prevent attackers crashing your critical systems or potentially executing malicious code. In particular pay close attention to web servers but any other system that uses SSL to encrypt information including appliances may have the defect too."