<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1626328370711236&amp;ev=PageView&amp;noscript=1">
banner-blog.jpg

blog

Gist of Today's OpenSSL Security Advisory

In case you didn't see it, the OpenSSL team announced an advisory for multiple security vulnerabilities today. The advisory contains 14 vulnerabilities of which two are rated high.

OpenSSL Security Advisory

OpenSSL Security AdvisoryWhen you pause to think about it, four developers working on a fundamental technology that practically powers Internet security is pretty scary. The new set of vulnerabilities allow for a remote attacker to take down a server running OpenSSL resulting in a Denial of Service. Fortunately, the scope of the high-severity DoS vulnerability (CVE-2015-0291) is limited to version 1.0.2. When SMACK TLS vulnerability was announced two weeks ago, OpenSSL was vulnerable to a MitM attack where someone could intercept the handshake and forcefully negotiate a low grade cipher. At that time the researchers thought that this was low severity because of the low number of deployments with this vulnerable implementation. Turns out there are lot more vulnerable deployments and hence the revised high severity.

Vulnerable servers (like in Forbes, James Oliver, etc.) are being exploited by cyber criminals as a launching pad for delivering malware to unsuspecting end users. If anything, this act is trending higher. As SSL on the Internet becomes more prevalent, enterprises are going to face a much higher risk. This is partly because most enterprises, for privacy reasons, don't inspect SSL traffic and this is an easy channel for malware to ride on without getting noticed.

Rob Marvin from SD Times has more to say on this new OpenSSL Security Advisory: http://sdtimes.com/openssl-issues-urgent-security-advisory/

Tags: advisory, vulnerability, ssl, openssl

Connect with us

Lists by Topic

see all

Recent Posts