Severe vulnerability found in OpenSSL just months after Heartbleed

TORONTO – Another major security vulnerability has been discovered in OpenSSL encryption technology, leaving users vulnerable to man-in-the-middle-style attacks.

The OpenSSL Foundation published a security advisory Thursday warning websites to update code to fix a decade-old bug that would allow an attacker to eavesdrop on network traffic and decrypt the information.

A patch has been issued to correct the vulnerability and websites are being urged to upgrade their software immediately.

The new vulnerability comes just two months after the widespread Heartbleed bug was discovered.

Heartbleed, which some experts called the biggest security vulnerability in the history of the Internet, was a flaw found in a line of code in OpenSSL.

READ MORE: What is the Heartbleed bug and why is it a big deal?

The security flaw created an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. Heartbleed allowed attackers to snoop on Internet traffic even if the padlock icon was closed.

The new vulnerability, found by security researcher Masashi Kikuchi, affects a portion of the “handshake” that establishes an encrypted connection. An attacker would be able to force the computer and the server to use a weak key that would allow them to decrypt the traffic.

“The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL,” read the advisory.

According to the security advisory, OpenSSL was alerted to the issue on May 1 – however, Kikuchi says the bug has existed since the very first release of OpenSSL.

“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation,” he wrote in a blog post Thursday.

“If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem.”

Tweet This Click to share quote on Twitter: "The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," <a href="http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html" target="_blank">he wrote in a blog post Thursday.</a></p><p>"If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem."

The Heartbleed bug went undetected for two years.

After the Heartbleed bug was discovered, many experts called on the security community to step up and help run security audits on OpenSSL – an open-source project.

READ MORE: Heartbleed may lead to more security audits, advanced security services

“The team that works on OpenSSL is very small and they do very good work, but there are a lot of lines of code and this was exploiting a very small piece of the OpenSSL package,” said Chris Parsons, a post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs during the Heartbleed bug fallout.

In April, over a dozen tech giants, including Google, Microsoft and Facebook, joined forces to help fund OpenSSL, donating $100,000 each per year for the next three years to help the project.