BEST OF THE WEB

New flaw ‘found’ in patched OpenSSL likely a fake, experts say

It’s getting so you just can’t trust hackers any more.

According to Computerworld U.S., security experts doubt the validity of a hacker claim that there’s a new vulnerability in the patched, post-Heartbleed version of OpenSSL.

Jeremy Kirk writes that a group of hackers, in a post on Pastebin, claim to have developed a fix for the new vulnerability that they “found.” The post tells users they’ll get a download link for the fix after making a payment of 2.5 bitcoins, which works out to around US$870.

“A new flaw in OpenSSL could pose just as much of a threat as Heartbleed did,” Kirk writes. “But the hackers’ claim was met with immediate suspicion on Full Disclosure, a forum for discussing vulnerability reports.”

In one posting, a commentator says “They claim to have found a buffer overflow in the handling of the DOPENSSL_NO_HEARTBEATS variable; since that’s in the C Preprocessor, that’s a rather extraordinary claim.”

Other comments about the validity of the hackers’ claim are more direct.

“It’s [bleep],” another poster writes. “They say: ‘A missing bounds check in the handling of the variable “DOPENSSL_NO_HEARTBEATS.”’ That’s not a variable, the ‘D’ is not actually part of the name, and it’s a compile-time macro that configures whether heartbeats will be compiled in or not. And because it’s a compile-time thing, it’s nothing that an attacker could ever influence.”

Because the hackers didn’t make their code public, their claim can’t be verified. And the email address provided for questions turns out to be the same one used on Pastebin for a couple of earlier offers for data, including data from a defunct Japanese bitcoin exchange that was hacked.

Still, when one poster asks if there really could be a working exploit on patched versions of OpenSSL, another answers “Absolutely! Ask again in a year.”

The Heartbleed flaw in OpenSSL was disclosed earlier this month and could enable hackers to gain access to login credentials or a server’s private SSL key.

Andrew Brooks
Andrew Brookshttp://www.itworldcanada.com
Andrew Brooks is managing editor of IT World Canada. He has been a technology journalist and editor for 20 years, including stints at Technology in Government, Computing Canada and other publications.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web