Not logged in » Login
Mar 20 2015

Heartbleed Revisited?


Not even a year after Heartbleed and its successor Cupid, the OpenSSL Project has started to roll out another series of critical patches without advance notice.

According to the Project website, users – meaning operating system vendors and service providers – should hurry to fix their offerings with the newly released OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf ASAP. Other than that, no details were revealed, so at the moment it remains unclear which vulnerabilities are to be patched. However, a brief search at MITRE's CVE database yielded over 100 results, the bulk of which was detected since 2009. According to a report at The Inquirer, there are no protective measures or mitigation strategies for end users – all they can do is look out for most recent upgrades of their browsers and other internet-connected software.

The "no advance notice/no disclosure" policy – typically an absolute no-go in open source circles – was explained by Steve Marquess, co-founder, president and business manager of the OpenSSL Software Foundation – the organization that governs and finances the OpenSSL Project – in an interview with renowned security blogger Brian Krebs. In it, Marquess cites last year's media frenzy about Heartbleed, a boost in hacker attacks and the ensuing, rather uncoordinated industry efforts to fix the security hole as main reasons for the new, "brutal" strategy. However, Marquess also concedes that the OpenSSL Foundation, which was incorporated in Maryland in 2009 as a service provider and consulting firm, has money to lose: "One of our main revenue sources is support contracts," he told Krebs, "and we don't even give them advance notice." Understandable as it is, his opinion raises some serious questions about how open some OSS projects really are, and the nature of OSS in general.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now