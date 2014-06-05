By Jim Finkle
BOSTON, June 5
BOSTON, June 5 Security researchers have
uncovered new bugs in the Web encryption software that caused
the pernicious "Heartbleed" Internet threat that surfaced in
April.
Experts said the newly discovered vulnerabilities in
OpenSSL, which could allow hackers to spy on communications, do
not appear to be as serious a threat as "Heartbleed."
The new bugs were disclosed on Thursday as the group
responsible for developing that software released an OpenSSL
update that contains seven security fixes.
Experts said that websites and technology firms that use
OpenSSL technology should install the update on their systems as
quickly as possible. Still, they said that could take several
days or weeks because companies need to first test systems to
make sure they are compatible with the update.
"They are going to have to patch. This will take some time,"
said Lee Weiner, senior vice president with cybersecurity
software maker Rapid7.
OpenSSL technology is used on about two-thirds of all
websites, including ones run by Amazon.com Inc,
Facebook Inc, Google Inc and Yahoo Inc
. It is also incorporated into thousands of technology
products from companies, including Cisco Systems Inc,
Hewlett-Packard Co, IBM, Intel Corp and
Oracle Corp.
The widespread "Heartbleed" bug surfaced in April when it
was disclosed that the flaw potentially exposed users of those
websites and technologies to attack by hackers who could steal
large quantities of data without leaving a trace. That prompted
fear that attackers may have compromised large numbers of
networks without their knowledge.
Security experts said on Thursday that the newly discovered
bugs are more difficult to exploit than "Heartbleed," making
those vulnerabilities less of a threat.
Still, until users of the technology update their systems,
"there is a window of opportunity" for sophisticated hackers to
launch attacks and exploit the newly uncovered vulnerabilities,
said Tal Klein, vice president of strategy with cloud security
firm Adallom.
