Number: IRCNE2014062212
Date: 2014-06-08
According to “itpro”, Japanese researchers have uncovered another vital flaw in OpenSSL that has been active and available to criminals for more than 16 years.
In a blog entry, Masashi Kikuchi, one of the security researchers at Lepidum, outlined how the flaw, named the CCS Injection Vulnerability, has been active since before 1998. The exploit affects a protocol used at the end of an SSL communication named the ChangeCipherSpec.
Hackers with knowledge of the bug have been able to intercept and then decrypt data travelling between OpenSSL servers and clients, conducting so-called “man-in-the-middle” attacks.
“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation,” wrote Kikuchi.
“If the reviewers had enough experience, they should have been verified the OpenSSL code in the same way they do their own code. They could have detected the problem [earlier].”
The team behind OpenSSL have acknowledged the security flaw and published an advisory asking users to upgrade their software to avoid the bug.
“The good news is that these attacks need a man-in-the-middle position against the victim and that non-OpenSSL clients (Internet Explorer, Firefox, Chrome and Safari) aren't affected,” wrote Google software engineer Adam Langley in a post on the exploit. “None the less, all OpenSSL users should be updating,”
- 4