Number:IRCNE2014042176
Date: 2014-04-28
According to “computerworld”, security experts have expressed doubts about a hacker claim that there's a new vulnerability in the patched version of OpenSSL, the widely used cryptographic library repaired in early April.
A group of five hackers writes in a posting on Pastebin that they worked for two weeks to find the bug and developed code to exploit it. A new flaw in OpenSSL could pose just as much of a threat as Heartbleed did.
The open-source OpenSSL code is used by millions of web sites to create encrypted communications between client computers and servers. The flaw disclosed in early April, nicknamed "Heartbleed," can be abused to reveal login credentials or a server's private SSL key.
More than two-thirds of the websites affected by the flaw have patched OpenSSL, according to McAfee.
The hackers said they've found a buffer overflow vulnerability that is similar to Heartbleed. They claim they've spotted a missing bounds check in the handling of the variable "DOPENSSL_NO_HEARTBEATS."
They have not published their exploit code, so there is no way to verify their claim. The group provided an email address for questions, but did not immediately respond to a query.
- 5