Last week six new OpenSSL vulnerabilities were disclosed to the public. These exploits were quickly patched, but Heartbleed has left users wary about the safety of the OpenSSL.
Just how severe are these new vulnerabilities?
Listen to episode 153 of our security slice podcast and hear Craig Young and Tyler Reguly discuss why none of these vulnerabilities are as serious as Heartbleed, why sensationalism in the security industry makes it difficult to gauge the impact of new vulnerabilities, and why these new disclosures should increase your confidence in OpenSSL.
Also, check out this handy Detection Script for CVE-2014-0224 (the OpenSSL CCS Injection) – it is designed to recognize when an SSL server does not actively reject an early CCS message. This behavior is indicative of whether an OpenSSL library has been patched to enforce the proper message order.
The script is designed for detection of vulnerable servers in a wide range of configurations. It attempts to negotiate using each affected protocol version (SSLv3, TLSv1, TLSv1.1, and TLSv1.2) advertising a comprehensive set of ciphers.
Click Here to Listen to the Podcast
- Security Slice: Are Retailers Cybercrime Victims or Cybersecurity Laggards?
- Security Slice: Spies vs. Spies
- Security Slice: Heartbleed’s Cupid
- Security Slice: Hindering Utility Hacks
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock