The nature of the threatUncovered by security researcher Masashi Kikuchi earlier in May, the security vulnerability referred to as CVE-2014-0224 allows the attacker to decrypt and modify traffic from the compromised client and server. An advisory on the OpenSSL website states, “An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.”
Below, you can find interesting way used by 9GAG to explain how the bug works :
Threat containedWith so many eyes reviewing OpenSSL, the issue wasn’t expected to last for too long. After discovering and bringing the problem to light, Kikuchi helped develop a fix for the bug. Stephan Henson of the software’s core team finalized the fix produced by the security researcher before it was made available for download. Although the fix has primarily been developed for versions 1.0.1 and 1.0.1-beta1, users of earlier versions of OpenSSL software have also been advised to upgrade as a precaution.
The OpenSSL core team has surely been kept busy this year. However, this is expected when dealing with a piece of software that has grabbed the attention of so many security researchers, who are all keen to make whatever contributions they possibly can to improve its security. This is just the sort of effort and collaboration that is required to fend off the threat of hackers, who also seem to be getting sneakier with every passing day. It remains to be seen just for how long the likes of OpenSSL would be able to block the path of those intent on gaining access to private communications of Internet users.