New OpenSSL breach is no Heartbleed, but needs to be taken seriously

New OpenSSL breach is no Heartbleed, but needs to be taken seriously

Summary: While the newest OpenSSL security problems are troubling, and you should address it, it's nothing as bad as Heartbleed.

SHARE:

It's been a bad week for open-source Secure Socket Layer (SSL) programs.

First, the obscure, GnuTLS was revealed to have a trivial but damning flaw. Then, the massively popular OpenSSL was found to have a man-in-the-middle vulnerability. After the Heartbleed fiasco, OpenSSL needed this like a hole in the head.

OpenSSL

This vulnerability, according to Adam Langley, a senior staff software engineer at Google, has been around for at least 15 years. It's a pity the Core Infrastructure Initiative (CII) riding to OpenSSL's rescue with more developer funding didn't happen any sooner than it did.

That said, this bug is still is nowhere near as bad as Heartbleed. For starters, an attacker needs to be running a system between the web browser or other SSL-enabled client program to make use of the security hole.

Be that as it may, you still need to address it by upgrading as soon as possible. As Chris Camejo, Director of Assessment Services for NTT Com Security said in an e-mail interview, "It's bad because it has been around for a long time and looks to be fairly widespread."

He added: "If exploited it would allow the attacker to decrypt traffic. This is serious given that the whole point of SSL is to encrypt traffic and it is widely used to protect passwords, credit card numbers, and all other manner of sensitive transactions that happen on web sites as well as certain email connections."

In a separate interview, Mark Cox, Red Hat's senior director of product security, went into deeper detail. Cox said, OpenSSL has fixed a number of security flaws, but given the Heartbleed episode we needed to find a way to tell people not to panic.

Cox explained that Heartbleed had been patched before it was revealed but news of the exploit spread before news of the patches, hence so much of the upset around it. In this latest case, there have been seven security issues patched but only two of them need concern administrators and users.

The first, Cox continued, is the Datagram Transport Layer Security (DTLS) bug. There is no known exploit of it at this time, but there is the potential for a successful attack against it.

Therefore, while DTLS is not widely used, if you do use it, it should be patched as soon as possible.

Cox then said the "real meat of the issue is the man-in-the-middle attack." Even here, for this work, someone really must be "in the middle" between a vulnerable server and client to make use of the hole.

But if someone can do this, they could "bypass SSL and get to the raw data... This is quite a serious issue."

Still, with Heartbleed anyone could theoretically exploit vulnerable SSL servers. To attack using this hole would require network access to the traffic between the client and server. For example, a successful attack might be made with a fake coffee house Wi-Fi access point being used to connect the Android version of the Chrome Web browser and an unpatched Web server. Fortunately, Google has already released an updated version of this browser, 35.0.1916.141, to eliminate this problem.

The most vulnerable systems, according to Cox, are unpatched Android devices using a bogus Wi-Fi hot spot. Morrell added that since Android users are at the mercy of their phone vendors and telcos for security updates they may be stuck with vulnerabilities for quite a long time.

Fortunately, if the servers they connect with have been updated, they still can't be attacked.

The OpenSSL security community has known about this problem since early May. The group, working with Red Hat, other major Linux and open-source groups, and hardware vendors, went to a great deal of trouble to not simply patch the bug but to take the next steps of testing the repair, so that they could be as certain (as anyone can ever be in security) that it would fix the hole, but also not introduce any new security problems, and work with most combinations of OpenSSL servers and clients.

Now that the patch is out there, OpenSSL is trying to get the solid facts, as well as the patch, out to people so there won't be any undue panic over these problems. Cox added that the major Linux vendors, such as Red Hat and Ubuntu, already have the patches available.

All server administrators need do is to download and install them and instead of a security crisis this will prove to be business as usual.

Related stories:

Topics: Security, Linux, Networking, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • No Real Story Here

    Software is always going to have bugs in it no matter what, and now that more attention is being payed to OpenSSL, it gives the media something to make money off of when bugs are found. I don't see any story here, besides that they caught some bugs, and ZDNet needs to get their ad revenue.

    These types of articles are exactly indicative of the slowdown in the I.T. field, as computers have become more like appliances and the days of huge leaps in CPU speed and memory increases are over. The exciting days of computer fares are over. Now we have articles touting stupid features within Windows 8.x, that nobody really cares about. It's just troll bait.
    Stilbe
    • Yes, there will always be bugs but in the commercial space liability ...

      ... issues encourages testing and drives quality assurance testing. There is little incentive for open-source developers to test and retest their development efforts because they not liable if they make a mistake.
      M Wagner
      • There's no "liability" in the "commercial space."

        Read any EULA. Software companies, for-profit or open source, always legally disclaim any responsibility for the fitness of their software and sell it "as-is." Good luck suing any software company for any loss you incurred using their product. You gave away your rights by clicking "I agree" on the license page during installation.
        harry_dyke
        • Liability is real...so the programmers and administrators need accountabily

          You can't just "explain away" damage as an "ooops." Ask GM. If you make me pay for a "license", then you have essentially sold me a product. Why? If I try to sell this product or give it away, then the software company will come after me. If it is (unknowingly to me) defective, then ask any attorney that handles injury, I'll be entitled to compensation, especially if their software "brings down" my PC or leaks private information. Ask Target too.
          drbob_1
          • But don't bother asking Microsoft.

            I have never heard of any lawsuit against Microsoft for any damages incurred by any of its customers due to a security issue wioth any of their products.

            Perhaps you could enlighten me as to any time Microsoft has compensated anybody for loses incurred from use their products.

            Yes, Target has to pay, but Target will have no luck getting any of those back from their server software vendor.
            Who is that vendor? Oh yeah, Microsoft.
            anothercanuck
          • Really you are blaming Microsoft

            for Targets breach? What a jack wagon.
            hoppmang
          • Speaking of jack wagons...

            Look at that, the fake Ed Bott got banned.

            Hm...
            ForeverCookie
          • Rather a shame really....

            You can never have too many of me... ;-)
            Ed Bott
      • "Yes, there will always be bugs but in the commercial space liability ..."

        @ M Wagner: Sorry but I have to disagree completely! It's as harry_dyke says, there is even less accountability as regards "closed/proprietary" software! Have to say again, absolute nonsense!
        johnpiers@...
  • Out of Focus

    the real issue in security today is protecting the software from un-authorized modification. recent reports have indicated that 2/3 to 3//4 of "hacks" originate from "trojans" which are often used to deliver un-authorized changes to the victim's computer system(s).

    the software must be protected first before there can be any meaningful discussion of encryption of of protecting data .
    Mike~Acker
  • Breach, not Breech

    Proof-reader needed...
    ManRan
    • An Ode to Spelling Checkers

      I have a spelling checker
      It came with my PC.
      It plane lee marks four my revue
      Miss steaks aye can not see.
      Eye ran this poem threw it.
      Your sure real glad two no.
      Its very polished in its weigh,
      My checker tolled me sew.
      It freeze yew lodes of thyme.
      It helps me right awl stiles two reed,
      And aides me when aye rime.
      And now bee cause my spelling
      Is checked with such grate flare,
      There are know faults with in my cite,
      Of nun eye am a wear.
      To rite with care is quite a feet
      Of witch won should be proud,
      And wee mussed dew the best wee can,
      Sew flaws are knot aloud.
      Sow ewe can sea why aye dew prays
      Such soft wear four pea seas,
      And why eye brake in to averse
      Buy righting watt eye please.
      cdgoldin
      • That's grate!

        Awe sum!
        jeffreydean
      • Words spelled OK, just using the wrong ones!

        Spell checkers are just that. They check for invalid words IN ISOLATION. All your words are spelled correctly, are they not? It you who was expecting it to read your mind.

        Even grammar checkers will only pick up some inappropriate word use.
        Patanjali
    • Better still, no breach at all

      It's a vulnerability. A breach is a successful break-in.

      But hey, never mind the vuln when you've got more entertaining fish to fry.
      seanferd
  • Open SSL has pants?

    One would expect headline writers to know English, at least.
    DigitalAvatar
    • Pants

      ...that need patching!
      james.vandamme
  • But both sides have to be exploitable

    So its not THAT bad overall. The world just needs to make sure they patch their servers.
    Jimster480
    • Jimster480: "The world just needs to make sure they patch their servers"

      Yeah, like that's going to happen. Plenty of Linux servers don't get patched or get patched infrequently. This problem has been written about at ZDNet and elsewhere.
      Rabid Howler Monkey
  • If only the SSL guys did as much error checking as the grammar police

    Nice to see the commentators trying to spin the situation by being dismissive, or by belittling the editing and proofreading of the article.

    This isn't some silly iPhone app for calculating a tip. This is software that is being used worldwide for mission critical tasks and it is becoming abundantly clear that leaving it up to 5 guys in mom's basement is ludicrous.
    croberts