- How to stream Liverpool vs. Chelsea Friday 6:45 PM
- How to stream Real Madrid vs. Sevilla Friday 6:35 PM
- How to stream Peter ‘Kid Chocolate’ Quillin vs. Alfredo Angulo Friday 5:16 PM
- How to stream Barcelona vs. Granada Friday 4:50 PM
- ‘Atlantics’ tells a ghost story steeped with emotion and realism Friday 4:16 PM
- ‘Jojo Rabbit’ is a sweet, singular movie that loses its grip on satire Friday 3:40 PM
- Jordan Peterson is in rehab for Klonopin addiction Friday 3:34 PM
- The cat-worshipping turkey cult video, explained Friday 3:22 PM
- Despite legal threats and drama, the Area 51 desert event is on Friday 3:05 PM
- How to stream Yair Rodriguez vs. Jeremy Stephens on UFC Fight Night Friday 3:00 PM
- Twitter just launched its ‘Hide Replies’ feature Friday 1:59 PM
- How to turn off image metadata before it snitches on you Friday 1:36 PM
- The ‘Breaking Bad’ movie is coming to theaters—for one weekend only Friday 1:04 PM
- Teens recorded, shared videos of mall fight that ended in fatal stabbing Friday 12:44 PM
- How to stream Giants vs. Buccaneers in Week 3 Friday 12:31 PM
Two months after Heartbleed, another OpenSSL bug affects Tor
A second vulnerability has emerged just months after Heartbleed.
Two months after the “catastrophic” Heartbleed security bug put nearly 20 percent of the Internet’s servers at risk of cyberattack, another major bug has popped up in OpenSSL encryption. The potential list of victims includes web browsers, email, private networks, and even the anonymous Tor network, when the software uses affected versions of OpenSSL.
“This one is less terrible than Heartbleed, but it’s still quite bad,” Tor developer Nick Mathewson said. “People have taken to calling it the ‘EarlyCCS’ attack: it will probably get less media attention than Heartbleed because its name is insufficiently scary.”
The bug itself, also known as the CSS Injection Vulnerability, has managed to inspire a scare in technologists nevertheless. And, like Heartbleed, it comes with a pretty gnarly logo–this time including syringes to symbolize the injection of malicious code–to catch your attention.
Using this vulnerability, an attacker can act as the man-in-the-middle between servers and users. He can then decrypt, eavesdrop, and modify traffic from the attacked client and server.
Heartbleed, which could attack any server using OpenSSL without exception, was more widely dangerous. This new vulnerability needs an attacker that is located between two communicating computers like, for instance, public Wi-Fi.
The vulnerability impacts Tor, the Web’s leading anonymity network, for clients and relays running older versions of OpenSSL. An attacker like a government or independent hackers would not be able to fully breach Tor’s strong, layered cryptography, but using this vulnerability could help with traffic analysis to reduce the anonymity of Tor’s users.
Mathewson, in an email to the Tor community, said there is “likely other unexpected badness as well” and recommended immediately upgrading all relevant software to the fixed versions as soon as they’re available.
The bug, which has been in existence for every version of OpenSSL since 1998, was reported in May to developers by Japanese researcher Masashi Kikuchi and the fix was built and deployed today. However, not all affected servers have updated to the new version of OpenSSL. Like Heartbleed, it takes time for administrators to apply patches. However, unlike Heartbleed, there is a much smaller sense of urgency that may end up leaving servers more vulnerable to this attack than they need to be.
After the major impact that Heartbleed had, companies like Google, Microsoft, Amazon, and Facebook pledged $100,000 a year for three years to strengthen small but critical open source projects like OpenSSL.
AVG Virus Labs estimate around 12,000 popular websites are still vulnerable to Heartbleed.
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.