Brace yourself. Mystery OpenSSL high severity vulnerability due to be fixed on Thursday


New versions of OpenSSL, the open-source software widely used to encrypt internet communications using SSL/TLS, are due to be released on Thursday, patching a series of security vulnerabilities.

And one of those security vulnerabilities, according to the software’s developers, is considered “highly serious”.

Details of the nature of the security flaws are currently non-existent, but an advisory published on Monday does explain that updates will be issued for OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

Openssl advisory

Inevitably, there is much speculation online that the vulnerability could be comparable to the hard-hitting Heartbleed bug (aka CVE-2014-0160) discovered last year, or its rather less dangerous compadre, POODLE (aka CVE-2014-3566).

It’s understandable that the OpenSSL Project isn’t saying any more yet - as they will be worried that there is a the potential to tip off malicious hackers who might be able to exploit the vulnerability.

As Optimal Security contributor Orion described earlier this month, a single bug in open source software can have worldwide repercussions, because the software is so pervasive.

And when the open source software is OpenSSL, a critical component in the underlying technology used to secure internet transactions, it is essential that we take any warning of security holes seriously.

The heads-up about this latest high severity security hole in OpenSSL, arrives less than two weeks after it was revealed that the Linux Foundation’s Core Infrastructure Initiative (CII) is spending millions of dollars on a project designed to harden open source technologies.

The likes of Amazon, IBM, Google, Facebook and many other big industry names are stumping up the cash to fund security consultants and cryptography experts in a significant audit of OpenSSL’s code, because they recognise how important it is that the widely-used code is secure.

It’s never pleasant knowing that there is a bug in such an essential part of many internet systems, and that a patch to fix it and the knowledge of what it’s potential impact is remain a day or two away.

But at least we know that a patch is on its way, and we can feel more confident than ever that the security of OpenSSL should significantly improve over time thanks to the efforts of the industry looking closely at its code.

This article originally appeared on the Optimal Security blog.

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.