Just weeks after cyber-security and other Internet organizations patched a vital piece of software to repair the Heartbleed security bug, another major flaw has turned up in the same program.
The new bug, discovered by a researcher in Japan, compromises the security of software called OpenSSL. Used by websites worldwide, this program scrambles the data traveling between two computers so that the information can’t be intercepted by online criminals. But the researcher found a way to intercept and decode those OpenSSL messages. It was the worst of five new OpenSSL flaws announced on Thursday.
“Anybody on the planet who has OpenSSL on its systems has to update,” said Nick Percoco, vice president of strategic services at Boston-based Internet security firm Rapid7 LLC.
But Percoco added that the new bug isn’t as dangerous as Heartbleed, which made it relatively easy to extract private information, such as bank account numbers, from millions of computer servers. “I don’t think it’s at that level right now,” said Percoco. “It’s not as easy to exploit.”
The new bug may have been discovered because OpenSSL has come under intense scrutiny since Heartbleed was discovered in April. That security flaw was caused two years earlier, when a German computer programmer, working on OpenSSL in his spare time, wrote a faulty upgrade to the program.
OpenSSL is an “open-source” program, meaning that its raw code is accessible to anyone, at no charge. The software is maintained and upgraded by volunteers working for free. Many supporters of open-source software say it should be more secure than traditional commercial software from companies such as Microsoft Corp., because the inner workings of the software are accessible to anybody. This means any knowledgeable person can scour the program looking for bugs and fixing them.
But Percoco said it doesn’t always work that way. “The assumption that open-source code is more secure than closed-source code is really rather false,” he said, because few open-source programs are actually inspected for bugs. Percoco noted that the new OpenSSL bug dates back to 1998; it took 16 years for someone to find it.
The discovery of two major flaws in such a commonly-used program ensures that OpenSSL code is now getting plenty of critical scrutiny. As a result, said Percoco, many more flaws will probably turn up soon.