icetray - Fotolia

Patched OpenSSL vulnerability creates new critical flaw; patched again

The cure for a low-severity OpenSSL vulnerability proves worse than the disease, as it opened a new, critical flaw, forcing the OpenSSL Project to rush out a new set of patches.

A patch for a low-severity OpenSSL vulnerability issued last week actually made things worse and created a new, more severe vulnerability in the open source cryptographic library.

In an unusual move, the OpenSSL Project bypassed its usual process for announcing vulnerabilities and patch availability, and it instead rushed out a new set of emergency patches to fix the new critical vulnerability.

"This security update addresses issues that were caused by patches included in our previous security update, released on 22nd September 2016," the OpenSSL Project wrote. "Given the critical severity of one of these flaws, we have chosen to release this advisory immediately to prevent upgrades to the affected version, rather than delaying in order to provide our usual public pre-notification."

The original flaw, one of 14 fixed in the OpenSSL patch release on Sept. 22, enabled a transitory denial-of-service attack through memory exhaustion and had a low severity rating; the new vulnerability introduced by the patch could allow an attacker to execute arbitrary code on a victim system.

"Due to the way memory is allocated in OpenSSL, this could mean an attacker could force up to 21 MB to be allocated to service a connection. This could lead to a denial of service through memory exhaustion," according to the original OpenSSL vulnerability advisory. "However, the excessive message-length check still takes place, and this would cause the connection to immediately fail." Although, the excessive memory allocation is freed immediately, as long as the application uses the SSL_free() function to free up that allocated memory. "Therefore, the excessive memory allocation will be transitory in nature."

The new critical OpenSSL vulnerability opened by the patch "resulted in an issue where if a message larger than approximately 16 KB is received, then the underlying buffer to store the incoming message is reallocated and moved," OpenSSL wrote. "Unfortunately, a dangling pointer to the old location is left, which results in an attempt to write to the previously freed location. This is likely to result in a crash; however, it could potentially lead to execution of arbitrary code."

In other news

  • The economics of putting security measures in place versus accepting the costs of a breach are coming into clearer focus, according to new research that found the average cost of a typical cyberincident was about $200,000 -- approximately the same amount budgeted annually by the typical firm for cybersecurity. The paper, "Examining the Costs and Causes of Cyber Incidents," by Sasha Romanosky, policy researcher at RAND Corp., based in Santa Monica, Calif., and a member of the Pardee RAND Graduate School faculty, was published in the Journal of Cybersecurity. "The findings suggest that public concerns regarding the increasing rates of breaches and legal actions may be excessive, compared to the relatively modest financial impact to firms that suffer these events," Romanosky wrote. "Public concerns regarding the increasing rates of breaches and legal actions conflict, however, with our findings that show a much smaller financial impact to firms that suffer these events. Specifically, we find that the cost of a typical cyberincident in our sample is less than $200,000 (about the same as the firm's annual IT security budget), and that this represents only 0.4% of their estimated annual revenues."
  • BlackBerry Ltd. plans to end all internal hardware development and outsource that function to its partners, while focusing instead on its software and mobile security businesses. Over the past few years, BlackBerry has focused on the importance of mobile security to its brand. The mobile technology company has made several moves recently to build up its presence in the mobile security market, including the purchase of enterprise mobility management firm Good Technology for $425 million in 2015 and its Priv smartphone entry into the secure Android market, released last November.
  • After learning the file format used by the note-taking application Windows Journal is vulnerable to multiple exploits, Microsoft removed it from Windows. The latest flaw, a heap-overflow vulnerability, was discovered and reported to Microsoft by Fortinet Inc. researcher Honggang Ren. "Microsoft released update KB3161102 and removed the Journal component from all versions of Windows because the file format used by Journal has been demonstrated to be susceptible to a number of security exploits," Ren wrote. In its update, Microsoft wrote the file format used by Windows Journal -- Journal Note File -- "has been demonstrated to be susceptible to many security exploits. Therefore, Windows Journal will be removed from all versions of Microsoft Windows soon." Microsoft urged Windows Journal users to migrate to Microsoft OneNote for a more secure alternative, but also provided a separately installable version of Journal for customers who require it; though, users should be aware that version "contains a trusted notification message box that appears every time that a Windows Journal file is opened."
  • GovDelivery, the cloud-based digital communication platform for government clients, signed a definitive agreement to be acquired for $153 million by private equity firm Vista Equity Partners. "GovDelivery is used by more public-sector organizations for digital communications than all other solutions combined," the company's statement read. "The company has built out the industry-leading platform for digital government communications used by over 1,800 customers to reach over 120 million citizens." The deal is expected to close in the fourth quarter of 2016.

Next Steps

Find out more about why the Heartbleed bug had a positive effect on OpenSSL.

Learn about the benefits of doing a risk assessment of OpenSSL-reliant products.

Read about two OpenSSL alternatives: LibreSSL and BoringSSL.

Dig Deeper on Open source security tools and software