Six Security Vulnerabilities Addressed in OpenSSLAdded 9th Jan 2012
Versions 1.0.0f and 0.9.8s of the popular OpenSSL library, released this week, address six security flaws, including one that allows DTLS (Datagram Transport Layer Security) communications to be decrypted.
The "padding oracle attack," which can recover plaintext information encrypted with DTLS, was devised by Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (RHUL), who plan to present it at the 19th Annual Network & Distributed System Security (NDSS) Symposium in February.
The Alfardan-Paterson DTLS attack builds on previous RHUL research into CBC-based encryption weaknesses. When the CBC (Cipher-block chaining) mode of operation is used, each block of plaintext is XORed with the ciphertext of the previous block, making them dependable on each other.
Alfardan and Paterson discovered a way of recovering plaintext without knowing the initial encryption key (initialization vector) by analyzing timing differences that arise during the decryption process. The vulnerability facilitating this attack was addressed in OpenSSL versions 1.0.0f and 0.9.8s, which were released on Wednesday.
Another vulnerability addressed by these updates could result in a potential leak of non-ecrypted information when SSL 3.0 is used. The severity of the issue is limited by the special conditions required for successful exploitation and the small number of potentially exposed bytes.
One flaw that only affects the 0.9.8 OpenSSL branch stems from a policy check failure when the X509_V_FLAG_POLICY_CHECK flag is set. Its discovery is credited to core OpenSSL team member Ben Laurie and was fixed in version 0.9.8s.
Three denial-of-service conditions have also been addressed in the new releases. They were the result of an assertion failure triggered by malformed RFC 3779 data being included in certificates, a bug in the support for handshake restarts for server gated cryptography (SGC) and the lack of error checking when GOST parameters are set by TLS clients.
Users are advised to upgrade to the newly released OpenSSL versions for their corresponding platform or wait for the operating system vendors who integrate the library by default to issue updates through their regular channels.
Funding and access to healthcare are the two biggest roadblocks globally preventing the development of a more efficient and effective healthcare infrastructure, according to a new survey of healthcare professionals by telepresence company, Polycom.
If you're still waiting for your reservation to come up as Microsoft rolls out Windows 10, we can't blame you for being eager to get your virtual hands on Microsoft's latest OS. But if you get an email encouraging you upgrade to Windows 10, you'll want to exercise a little caution, lest you get taken by scammers.
Microsoft has acquired Incent Games and plans to integrate the Texas startup's FantasySalesTeam sales-gamification software into Dynamics CRM.