Could a new OpenSSL defect be worse than Heartbleed?


OpenSSL is ready to rollout a major security update to patch a "high" severity security flaw that security researchers pray is not as bad as Heartbleed.

The project team behind OpenSSL explained that a new release will debut on March 19 that fixes security defects in versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf of OpenSSL, and Gavin Millard from Tenable Network Security is one of those keeping his fingers crossed.

"With the contributors to the OpenSSL project staying tight lipped apart from stating it will be classified as "High Severity", it would be prudent for organisations to identify all systems affected in advance of the patch to deploy the updates if required," said Millard, technical director at Tenable Network Security. "Hopefully this bug will be less severe than Heartbleed but, until Thursday, only a few will know."

Organisations that rely on OpenSSL will need to be quick to patch up the flaw. Being open source, the security update will allow malicious actors to work out how to take advantage of the vulnerability and attack any sites that haven't been updated.

What is Heartbleed?

Heartbleed was discovered last April after being undiscovered for two years and was a serious vulnerability in OpenSSL that allowed attackers to read up to 64KB of the host's memory before repeating it to read more RAM.

OpenSSL version 1.0.1g fixed the problem, but there were fears at the time that some sites simply wouldn't remember to update to the newest version. Even with the latest problem being patched up tomorrow, there will be concerns that some sites won't update.