Article Lead Image

Two months after Heartbleed, another OpenSSL bug affects Tor

A second vulnerability has emerged just months after Heartbleed.


Patrick Howell O'Neill


Posted on Jun 6, 2014   Updated on May 31, 2021, 4:39 am CDT

Two months after the “catastrophic” Heartbleed security bug put nearly 20 percent of the Internet’s servers at risk of cyberattack, another major bug has popped up in OpenSSL encryption. The potential list of victims includes web browsers, email, private networks, and even the anonymous Tor network, when the software uses affected versions of OpenSSL.

“This one is less terrible than Heartbleed, but it’s still quite bad,” Tor developer Nick Mathewson said. “People have taken to calling it the ‘EarlyCCS’ attack: it will probably get less media attention than Heartbleed because its name is insufficiently scary.”

The bug itself, also known as the CSS Injection Vulnerability, has managed to inspire a scare in technologists nevertheless. And, like Heartbleed, it comes with a pretty gnarly logo–this time including syringes to symbolize the injection of malicious code–to catch your attention.

Using this vulnerability, an attacker can act as the man-in-the-middle between servers and users. He can then decrypt, eavesdrop, and modify traffic from the attacked client and server.

Heartbleed, which could attack any server using OpenSSL without exception, was more widely dangerous. This new vulnerability needs an attacker that is located between two communicating computers like, for instance, public Wi-Fi.

The vulnerability impacts Tor, the Web’s leading anonymity network, for clients and relays running older versions of OpenSSL. An attacker like a government or independent hackers would not be able to fully breach Tor’s strong, layered cryptography, but using this vulnerability could help with traffic analysis to reduce the anonymity of Tor’s users.

Mathewson, in an email to the Tor community, said there is “likely other unexpected badness as well” and recommended immediately upgrading all relevant software to the fixed versions as soon as they’re available.

The bug, which has been in existence for every version of OpenSSL since 1998, was reported in May to developers by Japanese researcher Masashi Kikuchi and the fix was built and deployed today. However, not all affected servers have updated to the new version of OpenSSL. Like Heartbleed, it takes time for administrators to apply patches. However, unlike Heartbleed, there is a much smaller sense of urgency that may end up leaving servers more vulnerable to this attack than they need to be.

After the major impact that Heartbleed had, companies like Google, Microsoft, Amazon, and Facebook pledged $100,000 a year for three years to strengthen small but critical open source projects like OpenSSL.

AVG Virus Labs estimate around 12,000 popular websites are still vulnerable to Heartbleed.

Photo by Mike Baird/Flickr (CC BY SA 2.0) | Remix by Jason Reed

Share this article
*First Published: Jun 6, 2014, 7:48 am CDT