Govt finds open-source flaws
Published: 02 Oct 2003 08:35 BST
An open-source group that maintains software for securing communications released a patch on Tuesday to fix several vulnerabilities that were found during a security test by the UK government.
The security flaws exist in the OpenSSL Project's version of the secure sockets layer (SSL) software used by Web sites and browsers to cryptographically secure data. Two of the flaws could lead to a denial-of-service attack, and a third may allow an attacker to break into a system from the Internet.
The flaws were found when the UK government put the software through rigorous testing, said Mark Cox, a developer on the OpenSSL security team. The tests were conducted by the National Infrastructure Security Co-ordination Centre (NICSS), and reported by UNIRAS, the UK equivalent of CERT.
"We certainly know of no exploits yet," he said. "These were found by the good guys."
Not to be confused with the OpenSSH project -- SSH stands for secure shell -- which has patched its software twice in the last month, the OpenSSL Project develops and maintains an open-source version of SSL software. A year ago, the Slapper worm infected Linux computers that hadn't been patched to fix a different hole in the same software.
Cox said that a specially crafted digital certificate could crash the OpenSSL software through either of two flaws, causing a denial-of-service attack. The third flaw could result in a security hole that could allow online vandals to attack a server or enable a worm to spread. All versions of OpenSSL, up to and including 0.9.6j and 0.9.7b, are affected, according to an advisory issued by the group.
So far, most Linux distributors, including Red Hat and SuSE, have released patches for the flaws. Cisco Systems also has released patches. The networking gear maker uses the software in a number of its products.
Did you find this article useful?
55 out of 122 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
