Skip to main content

OpenSSL patch fixes seven vulnerabilities

Heartbleed, what's in a name!

Good news for those who fear being victims of any OpenSSL vulnerability. Since the discovery of the Heartbleed bug, security experts are pouring over its source code, in a bid to tidy up what could be described as a messy coding chaos.

And the first patches have followed swiftly. The OpenSSL open source project has issued a security patch that aims to fix seven vulnerabilities, two of which have been deemed critical by the SAMS Internet Storm Center.

The first one is a so-called man-in-the-middle flaw, using a OpenSSL exploit to tamper with traffic between clients and servers.

It was discovered by Japanese researcher Masashi Kikuchi from security company Lepidum and has been around for over 16 years, since the very inception of OpenSSL.

Kikuchi blames the insufficient number of code reviews as well as the lack of experience of reviewers for the time it took to unearth this vulnerability.

Another critical flaw was identified six weeks ago and is classified as a "Datagram Transport Layer Security (DTLS) invalid fragment vulnerability", which is a buffer overrun attack, allowing an arbitrary code to be executed on the compromised host.