Incoming OpenSSL Patch Draws Heartbleed Comparisons

OpenSSL patch will fix ‘high severity’ vulnerability, but no other details are known

A new version of OpenSSL is set to be made available tomorrow that will address a single ‘high severity’ vulnerability.

OpenSSL is an open source technology used by many websites and applications to protect customer data and made the headlines last year following the discovery of the infamous ‘Heartbleed’ bug that could allow an attacker to acquire encryption keys from web servers.

The exact nature of the new vulnerability remains a mystery, but its existence immediately evokes memories of the scramble to fix Heartbleed and the spotlight cast on the lack of funding received by developers of widely used open source technologies.

Heartbleed 2.0?

app“The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p,” said developer Mark J. Cox in a mailing list post. ““These releases will be made available on 9th July. They will fix a single security defect classified as ‘high’ severity.  This defect does not affect the 1.0.0 or 0.9.8 releases.”

Security expert Graham Cluley said he hoped the bug would not be another Heartbleed and that it was important the OpenSSL Project kept details under wraps for now in order to protect end users.

“Fingers crossed, this new vulnerability in OpenSSL won’t be anything like as serious as Heartbleed – but the grading of it as high severity’ means that it could open the door to various threats: ranging from fairly tame denial-of-service attacks to rather unpleasant remote code execution,” he said.

“Don’t be too upset that the OpenSSL project is keeping details of the vulnerability under its hat for now. No doubt they will be concerned that any information they share in advance could be exploited in live hacks by malicious hackers.

“Being careful about vulnerability disclosure is particularly important when the software is so widely used, and understood to be an essential component required in securing internet transactions.”

He said administrators could sit tight for now but urged them to install the patch as soon as it became available.

“You owe it to your own security, but also in order to properly protect the security of your partners and customers,” he added.

How well do you know open source software? Take our quiz!