Heartbleed-like OpenSSL bug active for more than 16 years
A security flaw in OpenSSL, active since 1998, has been discovered by a group of researchers in Japan
Japanese researchers have uncovered another vital flaw in OpenSSL that has been active and available to criminals for more than 16 years.
The Heartbleed bug saw thousands of panicked internet companies and users scrambling to shore up their security. Just a few months after that mad scramble, a security team has discovered one that has gone unchecked for more than 16 years.
In a blog entry, Masashi Kikuchi, one of the security researchers at Lepidum, outlined how the flaw, named the CCS Injection Vulnerability, has been active since before 1998. The exploit affects a protocol used at the end of an SSL communication named the ChangeCipherSpec.
Hackers with knowledge of the bug have been able to intercept and then decrypt data travelling between OpenSSL servers and clients, conducting so-called "man-in-the-middle" attacks.
"The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," wrote Kikuchi.
"If the reviewers had enough experience, they should have been verified the OpenSSL code in the same way they do their own code. They could have detected the problem [earlier]."
The team behind OpenSSL have acknowledged the security flaw and published an advisory asking users to upgrade their software to avoid the bug.
"The good news is that these attacks need a man-in-the-middle position against the victim and that non-OpenSSL clients (Internet Explorer, Firefox, Chrome and Safari) aren't affected," wrote Google software engineer Adam Langley in a post on the exploit. "None the less, all OpenSSL users should be updating,"
Companies have been jittery in the wake of Heartbleed. Remnants of it are still being discovered, including a variant found to be exploiting wireless routers and Android phones.
A group of tech giants, including Microsoft, Amazon and Google, have also announced that they will be funding a security audit for OpenSSL. It comes as the team behind the open source software blamed lack of resources for their failure to spot bugs.
How inkjet can transform your business
Get more out of your business by investing in the right printing technologyDownload now
Journey to a modern workplace with Office 365: which tools and when?
A guide to how Office 365 builds a modern workplaceDownload now
Modernise and transform your sales organisation
Learn how a modernised sales process can drive your businessDownload now
Your guide to managing cloud transformation risk
Realise the benefits. Mitigate the risksDownload now