Brace yourself. Mystery OpenSSL high severity vulnerability due to be fixed on Thursday

Graham Cluley

New versions of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, are due to be released on Thursday, patching a series of security vulnerabilities.

And one of those security vulnerabilities, according to the software’s developers, is considered “highly serious”.

Details of the nature of the security flaws are currently non-existent, but an advisory published on Monday does explain that updates will be issued for OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

Openssl advisory

Inevitably, there is much speculation online that the vulnerability could be comparable to the hard-hitting Heartbleed bug (aka CVE-2014-0160) discovered last year, or its rather less dangerous compadre, POODLE (aka CVE-2014-3566).

It’s understandable that the OpenSSL Project isn’t saying any more yet – as they will be worried that there is a the potential to tip off malicious hackers who might be able to exploit the vulnerability.

As Optimal Security contributor Orion described earlier this month, a single bug in open source software can have worldwide repercussions, because the software is so pervasive.

And when the open source software is OpenSSL, a critical component in the underlying technology used to secure internet transactions, it is essential that we take any warning of security holes seriously.

The heads-up about this latest high severity security hole in OpenSSL, arrives less than two weeks after it was revealed that the Linux Foundation’s Core Infrastructure Initiative (CII) is spending millions of dollars on a project designed to harden open source technologies.

The likes of Amazon, IBM, Google, Facebook and many other big industry names are stumping up the cash to fund security consultants and cryptography experts in a significant audit of OpenSSL’s code, because they recognise how important it is that the widely-used code is secure.

It’s never pleasant knowing that there is a bug in such an essential part of many internet systems, and that a patch to fix it and the knowledge of what it’s potential impact is remain a day or two away.

But at least we know that a patch is on its way, and we can feel more confident than ever that the security of OpenSSL should significantly improve over time thanks to the efforts of the industry looking closely at its code.

This article originally appeared on the Optimal Security blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.