In Brief: Although severe, a new vulnerability in OpenSSL that allows an attacker to impersonate a trusted CA serveris expected to have minimal impact. OpenSSL today issued a high severity advisory warning of forged certificates. During certificate verification, the alert says OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. This could allow an adversary to impersonate a trusted CA server and eavesdrop on otherwise encrypted communication. Fortunately, the flaw only affects versions of OpenSSL released last month and not yet available in some OSs such as Ubuntu. Affected versions are OpenSSL 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Despite the severity, experts expect the overall impact will be minimal. “Exploiting the OpenSSL vulnerability (CVE-2015-1793) is not quick or easy, making it nowhere near as serious as Heartbleed,” said Veracode’s Vice President of Research Chris Eng in an email. “For starters, an […]
Tag: OpenSSL
Tripping Over Heartbleed’s Long Tail
The news about the dreadful Heartbleed OpenSSL vulnerability keeps pumping – almost a month since it first made headlines. But now that other, equally scary security news is stealing the headlines (like the nasty Internet Explorer vulnerability that was announced this week, Heartbleed is taking a back seat. So where do things stand? I think its safe to say that we’re entering a phase that might be considered Heartbleed’s ‘long tail.’ On the one hand: there’s evidence of good news. The Register reported today that data collected by the firm Qualys suggests that almost all websites that were vulnerable to Heartbleed three weeks ago are now patched and no longer vulnerable. The Register’s John Leyden quotes Ristic, the director of engineering at Qualys, putting the percent of web sites, globally, that are still vulnerable to Heartbleed at 1 percent. That’s great news – but I don’t think its the end of the story […]
