Heartbleed keeps giving head-aches to devs and programmers ever since it appeared this spring. The bug doesn’t let Open SSL catch a break and it keeps opening vulnerabilities to all versions (0.9.8, 1.0.0, 1.0.1 and 1.0.2).
CCS Injection is one of the worst in the Heartbleed suite of bugs, and it is considered extremely serious by the OpenSSL team. The updated versions of OpenSSL were published today and some vulnerabilities were patched. The first three versions were patched and 1.0.2 beta release is currently still vulnerable and did not receive an update.
Any user who has this Heartbleed bug is advised to upgrade his device as soon as possible to avoid further annoyance.
CCS Injection is a serious bug that affects Open SSL’s Change CipherSpec processing by intercepting encrypted data and decrypting them via malicious intermediate nodes. It forces SSL clients to use weaker keys which then are exposed to malicious tools and nodes. It can exploit and tamper with contents and authentication information over encrypted communication via web browsing, VPN or E-mail. Attackers can use vulnerable clients and servers when users communicate with them and they can falsify on these communications. Attackers can hijack an authenticated session, although they cannot steal private keys, unless the users transferred his private keys via protected paths by SSL or TLS.