Six Security Vulnerabilities Addressed in OpenSSL
Added 9th Jan 2012Versions 1.0.0f and 0.9.8s of the popular OpenSSL library, released this week, address six security flaws, including one that allows DTLS (Datagram Transport Layer Security) communications to be decrypted.
The "padding oracle attack," which can recover plaintext information encrypted with DTLS, was devised by Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (RHUL), who plan to present it at the 19th Annual Network & Distributed System Security (NDSS) Symposium in February.
The Alfardan-Paterson DTLS attack builds on previous RHUL research into CBC-based encryption weaknesses. When the CBC (Cipher-block chaining) mode of operation is used, each block of plaintext is XORed with the ciphertext of the previous block, making them dependable on each other.
Alfardan and Paterson discovered a way of recovering plaintext without knowing the initial encryption key (initialization vector) by analyzing timing differences that arise during the decryption process. The vulnerability facilitating this attack was addressed in OpenSSL versions 1.0.0f and 0.9.8s, which were released on Wednesday.
Another vulnerability addressed by these updates could result in a potential leak of non-ecrypted information when SSL 3.0 is used. The severity of the issue is limited by the special conditions required for successful exploitation and the small number of potentially exposed bytes.
One flaw that only affects the 0.9.8 OpenSSL branch stems from a policy check failure when the X509_V_FLAG_POLICY_CHECK flag is set. Its discovery is credited to core OpenSSL team member Ben Laurie and was fixed in version 0.9.8s.
Three denial-of-service conditions have also been addressed in the new releases. They were the result of an assertion failure triggered by malformed RFC 3779 data being included in certificates, a bug in the support for handshake restarts for server gated cryptography (SGC) and the lack of error checking when GOST parameters are set by TLS clients.
Users are advised to upgrade to the newly released OpenSSL versions for their corresponding platform or wait for the operating system vendors who integrate the library by default to issue updates through their regular channels.
-
Fortinet Introduces Next-Generation Operating System for Web Application Firewall Product Family
The company also launched New Enterprise-Class FortiWeb Appliances for Protecting Critical Web Applications in Heavily Trafficked Environments
-
How Google's Internet Balloons Work
Google launched high-altitude balloons in a test to create a wireless network that could provide Internet access to remote and underserved parts of the world.
-
Vodafone Lets You Recharge Your Phone with Your Butt
Vodafone, in partnership with researchers from the University of Southampton, have created a pair of phone-recharging pants called the Power Pocket shorts, which comes with a small patch of thermoelectric material stitched directly into a pair of denim shorts that simply converts body heat into power.
-
Proposed E-license Plates Could Be Used to Track People
A pair of South Carolina lawmakers has introduced legislation that would pave the way for a pilot program involving electronic license plates that could be altered remotely by the state's DMV.
-
Google Funds Campaign Against Child Porn Online
Google announced via blog post a new technology-driven initiative against child pornography. The company is launching a $2 million Child Protection Technology Fund "to encourage the development of ever more effective tools" to fight online child pornography.
-
Oracle's Q4 Results: What to Watch
Many eyes in the tech world will fall on Oracle later this week, when the vendor's fourth-quarter results are set for release. This is typically the biggest reporting period for Oracle each year in terms of revenue, but a number of questions loom beyond its top-line performance.
-
Today's Top Supercomputer is Owned by China
China has regained the crown for the fastest supercomputer on the planet, according to the semiannual Top500 list, which claims that the Milky Way-2 supercomputer has doubled the performance of the previous leader, the American "Titan" supercomputer, in just six months.
-
Rambus, STMicroelectronics Settle Lawsuits, Sign Patent Agreement
Much of Rambus' past is associated with lawsuits, but the company is moving forward with dispute settlements.
-
Bing Voice Search Improves Accuracy, Speed
In 2012, Microsoft's Rick Rashid blew an Asian audience away with a live translation of his speech into Mandarin. On Monday, Bing added some of that technology to Bing Voice Search, to cut down the processing response time of voice input into Windows Phone by half, while improving accuracy at the same time.
-
Google's Project Loon Spreads the Net with High-flying Balloons
You know what's awesome? The Internet. What's not so great: The utter pain it is to find a fast, reliable Internet connection in so many parts of the world. With its latest moonshot, Google[x] is fighting that headache with creativity.
-
David Cameron Announces £1m Prize to Solve World's Biggest Problem
Prime Minister David Cameron has announced a £1 million prize for anyone who can "identify and solve the biggest problem of our time".
-
3D Printing On-demand, Delivered Via Vending Machine
Here comes Dreambox, a vending machine that dispenses 3D-printed creations.
-
Cray Integrates Hadoop Big Data Analytics with Supercomputers
Cray is bringing integrated open source Hadoop Big Data analytics software to its supercomputing platforms.
-
Facebook Sets New Product Reveal for June 20
Facebook is gearing up for a product announcement on June 20, but isn't saying what it has planned.
-
Oxford English Dictionary Breaks Own Rule, Lists 'Tweet'
Tweeting has become so popular that the Oxford English Dictionary broke one of its own rules to add 'tweet' to its lexicon.
This group is a platform to encourage IT leaders in the country to connect, share and collaborate with peers. If you are a senior IT professional in India, we'd love to have you join.
