Patch due to be released on 9 July
Wed Jul 08 2015, 13:57
A 'HIGH SEVERITY' BUG is currently unpatched in OpenSSL, the open source software used to encrypt internet communications, and a new version is due to be released on 9 July.
OpenSSL is a cryptographic software library used by open source web servers such as Apache and Nginx, which host about 66 percent of all websites.
The popular back-end technology made the headlines last year when a large-scale vulnerability called Heartbleed allowed hackers to steal information that would normally be protected by the SSL/TLS encryption.
SSL/TLS provides communication security and privacy over the internet for applications such as web, email and instant messaging.
The OpenSSL project team, a group of developers responsible for supporting the commonly used OpenSSL encryption protocol, announced the forthcoming patch in a mailing list posting by developer Mark J Cox.
This led to concerns that OpenSSL is currently unpatched against the threat of another Heartbleed-style bug.
"The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p," said Cox.
"These releases will be made available on 9 July. They will fix a single security defect classified as 'high' severity. This defect does not affect the 1.0.0 or 0.9.8 releases."
Heartbleed threatened up to 50 million Android devices and helped hackers to steal passwords, so it was a pretty big deal.
Security expert Graham Cluley said that it is impossible to shed light on the vulnerability at this stage as the OpenSSL project is keeping the details under its hat for now.
This is probably because they are concerned that any information shared in advance could be exploited in live hacks.
"Fingers crossed, this new vulnerability in OpenSSL won't be anything like as serious as Heartbleed, but the grading of it as ‘high severity' means that it could open the door to various threats ranging from fairly tame denial-of-service attacks to rather unpleasant remote code execution," Cluley said.
System administrators and developers are advised to apply the fix as soon as it is released on Thursday to avoid another catastrophe and protect the security of partners and customers.
0 comments:
Post a Comment