By NICOLE PERLROTH
June 5, 2014 5:10 pm
Security experts are still trying to plug the hole left by Heartbleed, the bug found in the widely used OpenSSL encryption protocol, with some 12,000 popular domains still vulnerable, according to AVG Virus Labs.
Now they have something else to worry about. On Thursday, the OpenSSL Foundation issued a warning to users that a decade-old bug
that makes it possible for an attacker to conduct a so-called man-in-the-middle attack on traffic encrypted with OpenSSL. The advisory warns users that someone could use the bug to intercept an encrypted connection, decrypt it, and read the traffic.
Users of OpenSSL are advised to deploy a new patch and upgrade to the latest version of OpenSSL software. The bug was initially discovered by Masashi Kikuchi, a Japanese researcher at Lepidum, a software firm. “Attackers can eavesdrop and make falsifications on your communication when both of a server and a client are vulnerable,” reads an FAQ on Lepidum‘s website.
Unlike Heartbleed, which could be used to directly exploit any server using OpenSSL, this new bug requires that the attacker be located between two computers communicating. A likely target, for example, would be someone using an airport’s public Wi-Fi.
The new bug was introduced into OpenSSL when it was first released in 1998, more than 10 years before Heartbleed, which was first introduced in a code update on New Year’s Eve in 2011.
The fact that the new bug went undetected for so long is another black mark on the management of OpenSSL. The encryption method is open source, meaning it can be reviewed and updated by anyone. Because of that, it is considered more secure and more trustworthy than proprietary code vetted by just one company’s engineers.
But, in reality, OpenSSL had only one full-time developer and three “core” volunteer programmers in Europe, and operated on a budget of $2,000 in annual donations. This, despite the fact that OpenSSL is used to encrypt the majority of the world’s web servers and widely used by technology companies such as Amazon and Cisco.
Following the Heartbleed discovery, major companies, including Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMWare, each pledged $100,000 a year over the next three years to the Core Infrastructure Initiative, a new open source initiative organized by the Linux Foundation to support crucial open-source infrastructure, like OpenSSL.