New vulnerability in OpenSSL
shelley at misanthropia.info
shelley at misanthropia.info
Fri Jun 6 21:58:15 PDT 2014
On Fri, Jun 6, 2014, at 09:30 PM, jim bell wrote:
>
>
>
> BOSTON — Security researchers have uncovered new bugs in the Web
> encryption software that caused the pernicious “Heartbleed” Internet
> threat that surfaced in April.
Direct info:
https://www.openssl.org/news/secadv_20140605.txt
>
> Experts said the newly discovered vulnerabilities in OpenSSL, which could
> allow hackers to spy on communications, do not appear to be as serious a
> threat as Heartbleed.
> The new bugs were disclosed on Thursday as the group responsible for
> developing that software released an OpenSSL update that contains seven
> security fixes.
> Experts said that websites and technology firms that use OpenSSL
> technology should install the update on their systems as quickly as
> possible. Still, they said that could take several days or weeks because
> companies need to first test systems to make sure they are compatible
> with the update.
> "They are going to have to patch. This will take some time," said Lee
> Weiner, senior vice president with cybersecurity software maker Rapid7.
> OpenSSL technology is used on about two-thirds of all websites, including
> ones run by Amazon.com, Facebook, Google, and Yahoo. It is also
> incorporated into thousands of technology products from companies,
> including Cisco Systems, Hewlett-Packard, IBM, Intel, and Oracle.
> The widespread Heartbleed bug surfaced in April when it was disclosed
> that the flaw potentially exposed users of those websites and
> technologies to attack by hackers who could steal large quantities of
> data without leaving a trace. That prompted fear that attackers may have
> compromised large numbers of networks without their knowledge.
> Security experts said Thursday that the newly discovered bugs are more
> difficult to exploit than Heartbleed, making those vulnerabilities less
> of a threat.
> Still, until users of the technology update their systems, “there is a
> window of opportunity” for sophisticated hackers to launch attacks and
> exploit the newly uncovered vulnerabilities, said Tal Klein, vice
> president of strategy with cloud security firm Adallom.
More information about the cypherpunks
mailing list