New Flaw Found in Software That Caused Heartbleed Bug
The researcher, Masashi Kikuchi, wrote in a blog post that he found another bug in OpenSSL, the encryption tool used in two-thirds of all websites to prevent hackers from stealing sensitive information like passwords or credit card data.
The new flaw would allow a hacker to snoop on or even change the content of emails or Web traffic, experts said.
Unlike Heartbleed, the new bug is much more difficult for hackers to exploit because it requires them to intercept traffic between two computers. The new flaw is only found on some older versions of the OpenSSL software.
Wired.com writer Andy Greenberg noted that the flaw “leaves open the possibility that anyone from an eavesdropper on your local Starbucks’ network to the NSA [could] strip away your Web connection’s encryption before it’s even initialized.”
It was unclear how many websites — or which ones — were affected by the vulnerability. Security experts said that anyone using Internet Explorer, Firefox, and Chrome browsers appeared safe.
The OpenSSL Foundation, which supports the programmers who maintain the software, published an advisory saying the flaw had been fixed, but warning website owners to use the latest OpenSSL software.
The disclosure further highlights the need for more security experts to check the popular open-source software for flaws. The vulnerability that was reported went undetected for 16 years because “code reviews were insufficient,” Kikuchi wrote in a blog post.