Heartbleed-like OpenSSL bug active for more than 16 years

A security flaw in OpenSSL, active since 1998, has been discovered by a group of researchers in Japan

Japanese researchers have uncovered another vital flaw in OpenSSL that has been active and available to criminals for more than 16 years.

The Heartbleed bug saw thousands of panicked internet companies and users scrambling to shore up their security. Just a few months after that mad scramble, a security team has discovered one that has gone unchecked for more than 16 years.

In a blog entry, Masashi Kikuchi, one of the security researchers at Lepidum, outlined how the flaw, named the CCS Injection Vulnerability, has been active since before 1998. The exploit affects a protocol used at the end of an SSL communication named the ChangeCipherSpec.

Hackers with knowledge of the bug have been able to intercept and then decrypt data travelling between OpenSSL servers and clients, conducting so-called "man-in-the-middle" attacks.

Advertisement - Article continues below
Advertisement - Article continues below

"The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," wrote Kikuchi.

"If the reviewers had enough experience, they should have been verified the OpenSSL code in the same way they do their own code. They could have detected the problem [earlier]."

The team behind OpenSSL have acknowledged the security flaw and published an advisory asking users to upgrade their software to avoid the bug.

"The good news is that these attacks need a man-in-the-middle position against the victim and that non-OpenSSL clients (Internet Explorer, Firefox, Chrome and Safari) aren't affected," wrote Google software engineer Adam Langley in a post on the exploit. "None the less, all OpenSSL users should be updating,"

Companies have been jittery in the wake of Heartbleed. Remnants of it are still being discovered, including a variant found to be exploiting wireless routers and Android phones.

A group of tech giants, including Microsoft, Amazon and Google, have also announced that they will be funding a security audit for OpenSSL. It comes as the team behind the open source software blamed lack of resources for their failure to spot bugs.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

How to protect against a DDoS attack

25 Oct 2019
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020
Microsoft Windows

Windows 7 bug blocks users from shutting down their PCs

10 Feb 2020

Coronavirus starts to take its toll on the tech industry

6 Feb 2020