There’s a new “high severity” flaw that demands your immediate attention. The OpenSSL Project team issued a warning about an alert that will roll out Thursday with more detailed information. For now, it’s somewhat of a mystery.
The OpenSSL Project is a collaborative effort to develop a commercial-grade, full-feature, and open source toolkit that includes Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and a strong general purpose cryptography library. A global community of volunteers uses the Internet to communicate, plan, and develop the OpenSSL toolkit.
“The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p.,” an alert released Monday noted. “These releases will be made available on 9th July. They will fix a single security defect classified as ‘high’ severity. This defect does not affect the 1.0.0 or 0.9.8 releases.”
Should We Expect Massive Problems?
The new high-severity flaw has the industry talking because of the OpenSSL-Heartbleed connection. In 2014, security engineers at Codenomicon found a bug that could give hackers access to user passwords and even trick people into using fake versions of popular Web sites. That bug, of course, was called Heartbleed and it impacted most of the Internet.
Codenomicon discovered that the vulnerability was in the OpenSSL cryptographic software library. The weakness stole information typically protected by the SSL/TLS encryption used to secure the Internet, the company said. During the fallout, there was some talk that it might even disconnect the emerging Internet of Things.
OpenSSL has a developer-friendly license, requiring only attribution for it to be linked against, copied and pasted or otherwise incorporated into a derivative software product, Ed Moyle, director of Emerging Business and Technology, ISACA, an international professional organization focused on IT governance, told us. It’s also free.
According to Moyle, all this makes it compelling for developers to use OpenSSL for anything that requires SSL functionality, including toasters to ICS systems, medical equipment, smoke detectors, remote cameras, consumer-oriented cable routers and wireless access points. Still, some security researchers aren’t expecting an Armageddon-style alert from the OpenSSL team on Thursday.
An Ounce of Prevention
We turned to Tim Erlin, director of IT security and risk strategy at advanced threat protection firm Tripwire, to get his thoughts on the OpenSSL Project team’s alert. He told us this type of a pre-announcement is intended to give organizations a chance to prepare. But is there reason to panic? Not necessarily.
“A huge part of the heartburn with Heartbleed came from the scramble to identify where organizations were vulnerable and how to apply patches. In this case, a little organization can go a long way to a smoother patching cycle,” Erlin said. “Software vendors who use OpenSSL can be prepared to patch their code and ship new versions faster, and end-users can inventory where they have OpenSSL and set up appropriate testing environments ahead of time.”
