On Fri, Jun 6, 2014, at 09:30 PM, jim bell wrote: > > > > BOSTON — Security researchers have uncovered new bugs in the Web > encryption software that caused the pernicious “Heartbleed” Internet > threat that surfaced in April.
Direct info: https://www.openssl.org/news/secadv_20140605.txt > > Experts said the newly discovered vulnerabilities in OpenSSL, which could > allow hackers to spy on communications, do not appear to be as serious a > threat as Heartbleed. > The new bugs were disclosed on Thursday as the group responsible for > developing that software released an OpenSSL update that contains seven > security fixes. > Experts said that websites and technology firms that use OpenSSL > technology should install the update on their systems as quickly as > possible. Still, they said that could take several days or weeks because > companies need to first test systems to make sure they are compatible > with the update. > "They are going to have to patch. This will take some time," said Lee > Weiner, senior vice president with cybersecurity software maker Rapid7. > OpenSSL technology is used on about two-thirds of all websites, including > ones run by Amazon.com, Facebook, Google, and Yahoo. It is also > incorporated into thousands of technology products from companies, > including Cisco Systems, Hewlett-Packard, IBM, Intel, and Oracle. > The widespread Heartbleed bug surfaced in April when it was disclosed > that the flaw potentially exposed users of those websites and > technologies to attack by hackers who could steal large quantities of > data without leaving a trace. That prompted fear that attackers may have > compromised large numbers of networks without their knowledge. > Security experts said Thursday that the newly discovered bugs are more > difficult to exploit than Heartbleed, making those vulnerabilities less > of a threat. > Still, until users of the technology update their systems, “there is a > window of opportunity” for sophisticated hackers to launch attacks and > exploit the newly uncovered vulnerabilities, said Tal Klein, vice > president of strategy with cloud security firm Adallom.
