Tech has plenty of holy wars — Windows vs Linux, emacs vs vi, and Perl vs Python, to name a few — and security has its own: vulnerability disclosure. At times it makes sense to publicly disclose a security vulnerability, but the recently revealed out-of-bounds read flaw in OpenSSL isn’t one of them.
Attackers can trigger the out-of-bounds read flaw in OpenSSL’s b2i_PVK_bio() function with a specially crafted private key, according to a post by Guido Vranken, a software engineer at Intelworks. That could lead to a heap corruption and potentially leak memory contents.
The vulnerability was reported to OpenSSL on Feb. 24, but Vranken said the project team informed him on Feb. 26 that the report, along with other reports submitted around that time, would have to wait until the next release. Vranken publicized the bug on his blog on Mar. 1, the same day OpenSSL released versions 1.0.2g and 1.0.1s. “It’s not necessarily more secure to have vulnerable code running on servers for a month of more while attackers, if any (for this vulnerability), are not bound to release cycles and have the advantage of time,” he wrote.
To read this article in full or to leave a comment, please click here