Heartbleed strikes back in 16-year-old OpenSSL bug

Data Jimmy Nicholls

16:47, June 5 2014


You thought Heartbleed was over?

Heartbleed has struck back in an OpenSSL vulnerability 16 years in the making, allowing hackers another opportunity to eavesdrop on those using the open-source security layer.

Targeting an encryption protocol usually sent at the end of an SSL "handshake" called the ChangeCipherSpec (CCS), the bug raises the possibility that hackers sitting between the client and server could eavesdrop on the messages sent, in much the same way as in the Heartbleed bug.

Masashi Kikuchi, the Japanese IT researcher of Lepidum who found the bug, said: "The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experience with TLS/SSL implementation."

In an announcement on Thursday the non-profit OpenSSL Foundation confirmed the problem, urging affected companies to apply a newly released patch.

"If the reviewers had enough experiences, they should have verified OpenSSL code in the same way they do their own code," Kikuchi said. "They could have detected the problem."

Given the less memorable moniker of the CCS Injection Vulnerability, the bug is yet another blow for the open-source security layer OpenSSL which was revealed to be vulnerable to eavesdropping in April, prompting the likes of Facebook, Tumblr and Google to patch their systems and advise users to change their passwords.

A similar bug called Cupid and nicknamed the "Son of Heartbleed" also emerged this week, allowing hackers to conduct man-in-the-middle attacks on Android, Linux and corporate wireless network users.

Recently a coalition of technology giants including Microsoft, Amazon and Google announced they would be funding a security audit for Open SSL sought by the Linux Foundation, with $3.6m over the next three years also paying for two developers to work on the technology.

Source: Company Press Release

get a cbr Cyber Security weekly update

Terms & Conditions & Privacy Policy.


Post a comment

Comments may be moderated for spam, obscenities or defamation.