The world hasn’t yet recovered from the Heartbleed vulnerability in OpenSSL and now there’s news of a new bug affecting the popular open-source security package. This recently announced, and already patched, exploit could allow an attacker to see and modify traffic between an OpenSSL client and an OpenSSL server. This sounds worse than it really is. The extent of the issue is extremely limited because we’re talking about specific versions of OpenSSL server. Plus, you need to be using that same server software on a client application, and the attack itself is quite a complicated affair.
The vulnerability, originally discovered in May by researcher Masashi Kikuchi, could allow for an attacker to lower the security of the communication between a client and a server using OpenSSL. In fact, this point is key: the package has to be present on both ends and then the attacker has to use what’s known as a “man-in-the-middle” attack, something not necessarily easy to do. For the uninitiated, a man in the middle attack could be accomplished through a bit of compromised hardware — like, say a router in your local coffee shop — that strips the encryption from the information.
The bug affects all client versions of OpenSSL and servers on version 1.0.1 or 1.0.2-beta1, though it is recommended to update earlier versions as a precaution. The biggest problem is that we don’t really know how many of our applications are using this security package, as this information is not normally disclosed. That said, Adam Langley, a security engineer from Google, confirmed that desktop browsers such as “IE, Firefox, Chrome on Desktop and iOS, Safari, etc.” are not vulnerable, as they don’t use OpenSSL.