Experts said the newly discovered
vulnerabilities in OpenSSL, which could allow hackers to spy on
communications, do not appear to be as serious a threat as "Heartbleed."
The new bugs were disclosed on Thursday as the group responsible
for developing that software released an OpenSSL update that
contains seven security fixes.
Experts said that websites and technology firms that use OpenSSL
technology should install the update on their systems as quickly
as possible. Still, they said that could take several days or
weeks because companies need to first test systems to make sure
they are compatible with the update.
"They are going to have to patch. This will take some time,"
said Lee Weiner, senior vice president with cybersecurity
software maker Rapid7.
OpenSSL technology is used on about two-thirds of all websites,
including ones run by Amazon.com Inc, Facebook Inc, Google Inc
and Yahoo Inc. It is also incorporated into thousands of
technology products from companies, including Cisco Systems Inc,
Hewlett-Packard Co, IBM, Intel Corp and Oracle Corp.
The widespread "Heartbleed" bug surfaced in April when it was
disclosed that the flaw potentially exposed users of those
websites and technologies to attack by hackers who could steal
large quantities of data without leaving a trace. That prompted
fear that attackers may have compromised large numbers of
networks without their knowledge.
Security experts said on Thursday that the newly discovered bugs
are more difficult to exploit than "Heartbleed," making those
vulnerabilities less of a threat.
Still, until users of the technology update their systems,
"there is a window of opportunity" for sophisticated hackers to
launch attacks and exploit the newly uncovered vulnerabilities,
said Tal Klein, vice president of strategy with cloud security
(Editing by Jonathan Oatis)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.