While Heartbleed Bug wounds still healing now a new Open SSL Vulnerability found by a Japanese firm once again raise concern over internet security. A 16 year old security researcher named Masashi Kikuchi who works at a Lupidum has identified CCS Injection Vulnerability in the Open SSL software that could disclose important user information to hackers.
The young researchers stated in his blog that the newly found Open SSL vulnerability could be exploited by hackers and cyber criminals. “The problem is that OpenSSL accepts ChangeCipherSpec (CCS) inappropriately during a handshake. This bug has existed since the very first release of OpenSSL” said Kikuchi.
Soon after the Japanese researcher identified the long existed (but not Know) Open SSL vulnerability The Open SSL Security advisory released warning about the CCS Injection Vulnerability in the software.
“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.”
The Open SSL Security advisory also added that “The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.”
As per the explanation by Open SSL advisory this new bug is different from the Heartbleed Bug as it does not allows hackers to steal data from any location. To exploit this new bug hacker’s computer should communicate with a personas device which means open network places like public Wi-Fi can be most likely target of this bug.
what is more alarming is that the vulnerability has been around for 16 years ever since the birth of Open SSL but the lack of resources at the Software firm has resulted into ignorance of such severe vulnerability.
However, now the Open SSL software authority has released a patch for the CCS Injection Vulnerability and has urged its clients to released updated patch for their users. If you use any online service that uses Open SSL (most online services do) it would be wise to wait for a password change until a security patch is released.