TECH
06/05/2014 07:51 pm ET Updated Jun 06, 2014

New Flaw Found in Software That Caused Heartbleed Bug

Two months after the Heartbleed bug triggered widespread Internet panic, a researcher on Thursday disclosed a new vulnerability in the same widely used security software.

The researcher, Masashi Kikuchi, wrote in a blog post that he found another bug in OpenSSL, the encryption tool used in two-thirds of all websites to prevent hackers from stealing sensitive information like passwords or credit card data.

The new flaw would allow a hacker to snoop on or even change the content of emails or Web traffic, experts said Thursday.

Unlike Heartbleed, the new bug is much more difficult for hackers to exploit because it requires them to intercept traffic between two computers. The new flaw is only found on some older versions of the OpenSSL software.

Wired.com writer Andy Greenberg noted that the flaw "leaves open the possibility that anyone from an eavesdropper on your local Starbucks’ network to the NSA [could] strip away your Web connection’s encryption before it’s even initialized."

It was unclear Thursday how many websites -- or which ones -- were affected by the vulnerability. Security experts said that anyone using Internet Explorer, Firefox, and Chrome browsers appeared safe.

The OpenSSL Foundation, which supports the programmers who maintain the software, published an advisory Thursday saying the flaw had been fixed, but warning website owners to use the latest OpenSSL software.

The disclosure further highlights the need for more security experts to check the popular open-source software for flaws. The vulnerability that was reported Thursday went undetected for 16 years because “code reviews were insufficient," Kikuchi wrote in a blog post.

Despite its critical role in Internet security, OpenSSL software is written and maintained largely by four people who live in Europe, plus a few contributors. Most have other jobs during the day and maintain the code in their spare time.

Together, they earned less than $1 million last year for their work on OpenSSL from a mix of contract work and donations. The programmers don’t have time to check every line of code for flaws and can’t afford to pay for a formal code review.

In response to the Heartbleed bug, several big technology companies -- including Google, Facebook and Microsoft -- have pledged financial support to OpenSSL to hire experts who can work full time reviewing the code.

CONVERSATIONS