Two months after the Heartbleed vulnerability leaks, a new bug has been revealed in the OpenSSL web encryption standard. The attacker should be located in an area where there are two computers communicating, so anyone is vulnerable to this bug and there are over 12,000 well-known domains that are still vulnerable to this bug.
The OpenSSL Foundation released a warning to all users that a ten year old bug that makes it probable for the attacker to control a man-in-the-middle (MITM) attack along with OpenSSL. This warning stated that a person can utilize this flaw to seize a secured connection, decrypt the connection and then review the traffic. The OpenSSL users need to install the latest patch. An upgrade to the OpenSSL latest version software should be made. A Japanese researcher Masashi Kikuchi discovered this bug. The attackers can overhear and create alterations on communication if the server and the client becomes vulnerable, based on Lepidum’s webpage.
The Heartbleed bug can be utilized to exploit a server that is using OpenSSL, but in this latest bug, the attackers should be placed in the middle of two computers that are communicating such as the Airport’s public wireless connection. The latest bug was presented in OpenSSL, while it was published in 1998. That was more than a decade before the Heartbleed bug was introduced. Because this new bug was unseen for quite too long, it became a censure to the OpenSSL management. And since the encryption process is open source, anyone can review or update it. Also, it is more secure and more reliable than the proprietary code assessed by some engineers in a company.
The reality is, OpenSSL is comprised with a single developer working in full-time and three main volunteer programmers. It is operating with a $2,000 budget from yearly donations. This is regardless of the fact that the OpenSSL is utilized for encrypting most of the web servers across the world and it is broadly used by well-known technology companies like Cisco and Amazon.
This latest bug is said to be more hazardous than the recent Heartbleed bug since it can snoop directly on users’ communications. The Heartbleed was believed to be one of the most dangerous vulnerability that was uncovered last April. OpenSSL is used for protecting data with digital keys, however, it has been unprotected since it became inconsistent for several times in the past months.
With this latest bug, attackers who are under the same network as their target, could impose weak encryption keys involving the web servers and the users’ machines. When the attackers learned about those keys, they can intercept data or alter the data being sent from the user to the website to deceive the victim in distributing sensitive details like their usernames and passwords, or also known as the man-in-the-middle-attack.
This vulnerability can affect the entire PCs and mobile software that is using OpenSSL before the latest version that includes Google Chrome on Android and servers that are running OpenSSL 1.0.1 and 1.0.2 Beta version. Websites are running OpenSSL 1.0.1 since it fixed the Heartbleed bug. Internet users who are still using the vulnerable versions needs to install the patches as stated in the OpenSSL advisory including the fixes on other flaws.
It has been said that one of the bugs that allows the attacker for sending malicious code to those machines that are running OpenSSL and was affected by the bug, was also the same developer as the one responsible for the Heartbleed bug.
This is a serious flaw and the task of fixing this is more likely bigger than Heartbleed bug. Non-OpenSSL clients such as IE, Firefox, iOS, Safari and Chrome for Desktop and iOS will not be affected and the entire OpenSSL users need to update. Browsers that are vulnerable to this flaw are Android and Chrome for Android. It is not surprising to find more flaws in OpenSSL, according to Jean Taggart, a researcher of Malwarebytes. To be safe, never use someone’s Wi-Fi.