A fix for the bugs has been released, but it could take weeks for companies to patch their systems

New holes found in Heartbleed encryption software

New holes have been found in the encryption software at the centre of the Heartbleed vulnerability revealed earlier this year.

Security researchers said the newly discovered vulnerabilities in OpenSSL, which could allow hackers to spy on communications, do not appear to be as serious a threat as Heartbleed, but advised websites and technology firms using the technology to install a fix on their systems as quickly as possible.

The six new bugs were disclosed yesterday as The OpenSSL Project, the group responsible for developing the software, released an OpenSSL update that contains security fixes.

But experts said it could take several days or weeks before organisations are free of the vulnerability because they need to first test systems to make sure they are compatible with the update.

"They are going to have to patch. This will take some time," said Lee Weiner, senior vice president with cyber-security software maker Rapid7.

OpenSSL technology is used on about two-thirds of all websites, including ones run by Amazon.com, Facebook, Google and Yahoo. It is also incorporated into thousands of technology products from companies, including Cisco Systems, Hewlett-Packard, IBM, Intel and Oracle.

The widespread Heartbleed bug surfaced in April when it was disclosed that the flaw potentially exposed users of those websites and technologies to attack by hackers who could steal large quantities of data without leaving a trace. That prompted fear that attackers may have compromised large numbers of networks without their knowledge.

Security experts said yesterday that the newly discovered bugs are more difficult to exploit than Heartbleed, making those vulnerabilities less of a threat.

Still, until users of the technology update their systems, "there is a window of opportunity" for sophisticated hackers to launch attacks and exploit the newly uncovered vulnerabilities, said Tal Klein, vice president of strategy with cloud security firm Adallom.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them