Heartbleed strikes back in 16-year-old OpenSSL bug

Security

by Jimmy Nicholls| 05 June 2014

You thought Heartbleed was over?

Heartbleed has struck back in an OpenSSL vulnerability 16 years in the making, allowing hackers another opportunity to eavesdrop on those using the open-source security layer.

Targeting an encryption protocol usually sent at the end of an SSL "handshake" called the ChangeCipherSpec (CCS), the bug raises the possibility that hackers sitting between the client and server could eavesdrop on the messages sent, in much the same way as in the Heartbleed bug.

Masashi Kikuchi, the Japanese IT researcher of Lepidum who found the bug, said: "The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experience with TLS/SSL implementation."

In an announcement on Thursday the non-profit OpenSSL Foundation confirmed the problem, urging affected companies to apply a newly released patch.

"If the reviewers had enough experiences, they should have verified OpenSSL code in the same way they do their own code," Kikuchi said. "They could have detected the problem."

Given the less memorable moniker of the CCS Injection Vulnerability, the bug is yet another blow for the open-source security layer OpenSSL which was revealed to be vulnerable to eavesdropping in April, prompting the likes of Facebook, Tumblr and Google to patch their systems and advise users to change their passwords.

A similar bug called Cupid and nicknamed the "Son of Heartbleed" also emerged this week, allowing hackers to conduct man-in-the-middle attacks on Android, Linux and corporate wireless network users.

Recently a coalition of technology giants including Microsoft, Amazon and Google announced they would be funding a security audit for Open SSL sought by the Linux Foundation, with $3.6m over the next three years also paying for two developers to work on the technology.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

745 people like this.
0 people follow this.

Security Intelligence

Buy the latest industry research online today!
See more

Suppliers Directory

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.