- Here’s why ‘Furry and Proud’ is trending on Twitter 5 Years Ago
- Sacha Baron Cohen calls tech giants the ‘greatest propaganda machine in history’ 5 Years Ago
- ‘Resistance Reborn’ is a must-read before ‘The Rise of Skywalker’ Today 10:14 AM
- Stephen Miller should be fired, more than 100 lawmakers say Today 9:56 AM
- YouTube star Bretman Rock goes off on fans who wanted selfies during his dad’s funeral Today 9:14 AM
- The U.S. Army is reevaluating its use of TikTok after security concerns Today 8:45 AM
- Nurse’s TikTok video accused of being insensitive to patient trauma Today 8:16 AM
- The tweet showing a man talking to a woman in a club is gone but not forgotten Today 8:00 AM
- Netflix’s ‘The Knight Before Christmas’ is gosh-darned hopeful Today 7:30 AM
- Harley Quinn strikes out alone in DC Universe’s new R-rated cartoon Today 7:00 AM
- Elon Musk’s Cybertruck mocked after ball busts windows during demonstration Today 12:23 AM
- Pornhub has a bundle now, Disney+ style Thursday 11:27 PM
- Jacob Wohl’s dad is selling horny calendars of himself for the soldiers Thursday 11:10 PM
- Amanda Palmer dragged for ‘demanding’ coverage of her music Thursday 8:33 PM
- How to get free TikTok followers without downloading a virus Thursday 7:57 PM
Two months after Heartbleed, another OpenSSL bug affects Tor
A second vulnerability has emerged just months after Heartbleed.
Two months after the “catastrophic” Heartbleed security bug put nearly 20 percent of the Internet’s servers at risk of cyberattack, another major bug has popped up in OpenSSL encryption. The potential list of victims includes web browsers, email, private networks, and even the anonymous Tor network, when the software uses affected versions of OpenSSL.
“This one is less terrible than Heartbleed, but it’s still quite bad,” Tor developer Nick Mathewson said. “People have taken to calling it the ‘EarlyCCS’ attack: it will probably get less media attention than Heartbleed because its name is insufficiently scary.”
The bug itself, also known as the CSS Injection Vulnerability, has managed to inspire a scare in technologists nevertheless. And, like Heartbleed, it comes with a pretty gnarly logo–this time including syringes to symbolize the injection of malicious code–to catch your attention.
Using this vulnerability, an attacker can act as the man-in-the-middle between servers and users. He can then decrypt, eavesdrop, and modify traffic from the attacked client and server.
Heartbleed, which could attack any server using OpenSSL without exception, was more widely dangerous. This new vulnerability needs an attacker that is located between two communicating computers like, for instance, public Wi-Fi.
The vulnerability impacts Tor, the Web’s leading anonymity network, for clients and relays running older versions of OpenSSL. An attacker like a government or independent hackers would not be able to fully breach Tor’s strong, layered cryptography, but using this vulnerability could help with traffic analysis to reduce the anonymity of Tor’s users.
Mathewson, in an email to the Tor community, said there is “likely other unexpected badness as well” and recommended immediately upgrading all relevant software to the fixed versions as soon as they’re available.
The bug, which has been in existence for every version of OpenSSL since 1998, was reported in May to developers by Japanese researcher Masashi Kikuchi and the fix was built and deployed today. However, not all affected servers have updated to the new version of OpenSSL. Like Heartbleed, it takes time for administrators to apply patches. However, unlike Heartbleed, there is a much smaller sense of urgency that may end up leaving servers more vulnerable to this attack than they need to be.
After the major impact that Heartbleed had, companies like Google, Microsoft, Amazon, and Facebook pledged $100,000 a year for three years to strengthen small but critical open source projects like OpenSSL.
AVG Virus Labs estimate around 12,000 popular websites are still vulnerable to Heartbleed.
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.