Remember Heartbleed, the exploit which capitalised on a gaping hole in the open source library OpenSSL, which handles encryption of data between web surfers and servers? Well, more bugs have been discovered in OpenSSL...
This was perhaps inevitable, given the the fact that Heartbleed went undetected for a couple of years, and this stirred up quite the hornet's nest – so there was bound to be plenty of scouring of OpenSSL to try to find any further flaws. And indeed, find them they did – check out the list of offenders in yesterday's OpenSSL Security Advisory.
Tatsuya Hayashi, who pinned down one of the more critical bugs, told the Guardian that it "may be more dangerous than Heartbleed".
This bug, SSL/TLS MITM vulnerability (CVE-2014-0224), is present because OpenSSL accepts ChangeCipherSpec (CCS) inappropriately during a handshake, Hayashi notes. And this flaw has existed since the very first version of OpenSSL, no less.
Basically, an attacker can use a specially crafted handshake to facilitate a Man-in-the-Middle attack whereby he (or she) can decrypt and snoop on supposedly secure traffic between client and server (and indeed modify that traffic).
Fixes for this, and the other vulnerabilities listed by the Security Advisory have been implemented for OpenSSL, so the clear message to users is to upgrade to the latest version immediately.
Note that with the bug Hayashi discovered, both client and server have to be vulnerable for this exploit to be pulled off, and in terms of all the big web browser clients – Internet Explorer, Chrome, Firefox, Safari – they don't use OpenSSL, so there's no need to worry on that score.
When couched in those terms, it does seem that Hayashi is being overly dramatic in his description of this being a more serious hole than Heartbleed – but the fact that it has been present since the first release of OpenSSL is again another worrying black mark against the open source protocol.
Hopefully, all the fine-tooth-combing for bugs has now been done, and the big ones are all picked out and patched – but we wouldn't bet on it.