A team of developers responsible for supporting a commonly used encryption protocol known as Open SSL has uncovered a mysterious new “high severity” vulnerability.
OpenSSL is a security protocol used by open source web servers such as Apache and Nginx – which host around 66% of all the world’s sites.
The backend technology hit the headlines in 2014 when a massive security flaw, codenamed Heartbleed, was uncovered.
The flaw was dangerous as it could be exploited by hackers to steal data, even if it was encrypted, from sites and services using OpenSSL.
The nature of the new OpenSSL flaw remains unknown, though the high severity ranking given to it by the project has caused concerns.
The OpenSSL project classifies high severity bugs as “issues affecting common configurations which are also likely to be exploitable [hackable]. Examples include a server denial-of-service, a significant leak of server memory, and remote code execution.”
In non-technical language, this means the bug could be used for a range of purposes by hackers, varying from basic nuisance attacks that knock websites and services using OpenSSL offline, to installing malware on victim systems.
Further details about the vulnerability remain unknown, as OpenSSL doesn’t want to provide hackers with information they could use to exploit the flaw ahead of its July 9 fix.
This isn’t the first major fix released by the OpenSSL Project since Heartbleed. The OpenSSL project released another security update patching 14 vulnerabilities, two of which were also high severity, in May.
The news follows hostility from US and UK government departments to secure services like OpenSSL.
James Comey, director of the Federal Bureau of Investigation (FBI) claimed law enforcement and intelligence agencies need ways to read encrypted traffic if they hope to combat terrorism and crime, earlier in June.