Today we have learned of another security advisory released on another vulnerability dealing with websites that use OpenSSL. The notification and details of this can be viewed in the OpenSSL Security Advisory, found here.
This new vulnerability requires complex effort for an attacker to successfully take advantage of the vulnerability. An attacker must intercept the connection between a client and a server, both of which need to be using the vulnerable version, and start what is referred to as a ‘Man in the Middle’ attack. In basic terms, the cybercriminal needs both to intercept you and the server you are connected to, and both parties have to have the vulnerability.
Once the cybercriminal is sitting in the middle of this communication flow, they can then decrypt and modify the traffic, thus breaking the security of an encrypted communication. The bug is not new and has been present since the first version on OpenSSL – around 16 years – according to the blog of Masashi Kikuchi, the man who discovered it.
It’s important to note that the patch is already available, as with any “Zero Day” issue, it will take companies a degree of time to patch servers. Because of this, there will be a window of opportunity for cybercriminals to steal data that was previously considered safe.
Are you affected?
As mentioned, both parties, client and server, would need to be using an OpenSSL version that is vulnerable. There is good news here as the majority of us use a commercially available browser such as Chrome, Firefox, Internet Explorer (IE), Safari (iOS) and these do not use the OpenSSL Client, and therefore are not vulnerable to this issue (for more on this, you can read the personal blog of Adam Langley, Senior Software Engineer at Google).
However, we all use many applications that when communicating and many open apps, whether desktop or mobile, talk to servers in the background in ways that we don’t really notice. These are the things that we need to make sure are protected and patched accordingly.
It’s important to understand that as this is a “Man in the Middle” attack neither the company nor the user would know the attack has taken place.
All companies and users using OpenSSL need to take prompt action to patch their servers and apps with the new version that is available. In large production environments this does of course take time as they need to test and deploy these changes.
What can you do?
Our advice to users is to not transfer critical information until you have confirmed that the issue has been fixed on the server you need to communicate with.
June 6, 2014