A new version of the OpenSSL cryptography library released to cover a vulnerability where an attacker could intercept communications.
Version 1.0.1g of the software released to address the issue.
The vulnerability, CVE-2014-0160, could end up used to steal information protected by SSL/TLS encryption because it enables an attacker to read the memory of the vulnerable systems. The security hole exposes all data transmissions, including encryption keys, usernames, passwords and the content of the communication.
The issue called the “Heartbleed bug” because it affects the DLS/DRLS implementation of the RFC6520 heartbeat extension, and it leads to the leakage of memory contents.
The security hole is a problem because it has been around for two years, leaving a large number of private keys and other sensitive data exposed.
A team of engineers from Codenomicon and Neel Mehta of Google Security uncovered the flaw. Open SSL 1.0.1 through 1.0.1f are vulnerable. The branches of versions 1.0.0 and 0.9.8 do not suffer from the issue.
Several operating system distributions, including Debian Wheezy, Ubuntu, CentOS, FreeBSD, OpenBSD and OpenSUSE shipped with vulnerable versions. Researchers believe that most users are likely to feel the impact, either directly or indirectly.
Researchers also highlight the fact this bug is not like the recent Apple “got fail” bug, which required a man-in-the-middle (MITM) attack. Instead, the attacker can directly contact the vulnerable service, and even directly attack users connected to a malicious service.