A vulnerability classed as “high” severity in OpenSSL is set to be fixed on Thursday.
According to an advisory, the OpenSSL project team has announced the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. “They will fix a number of security defects,” Matt Caswell from the OpenSSL Project Team said. “The highest severity defect fixed by these releases is classified as “high” severity.
Whilst the flaw remains veiled in secrecy, Microsoft has released an advisory also, saying that it is aware of an improperly issued SSL certificate for the domain “live.fi” that could be used in attempts to spoof content, perform phishing attacks or perform man-in-the-middle attacks.
It said that it “cannot be used to issue other certificates, impersonate other domains or sign code” but that this issue affects all supported releases of Microsoft Windows. Microsoft said it is not currently aware of attacks related to this issue and the digital certificate has been revoked by the issuing CA and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of certificates that are causing this issue.
Gavin Millard, technical director of Tenable Network Security said: “Although the actual details of the vulnerability haven’t been disclosed, the versions affected by the embargoed bug have, which includes OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
“With the contributors to the OpenSSL project staying tight lipped apart from stating it will be classified as ‘High Severity’, it would be prudent for organisations to identify all systems affected in advance of the patch to deploy the updates if required. Hopefully this bug will be less severe than Heartbleed but, until Thursday, only a few will know.”