Cybersecurity researchers exposed new bugs on Thursday related to the Heartbleed threat that left Internet users' passwords and other valuable information vulnerable to hackers.
The newly discovered weaknesses in the Internet encryption software OpenSSL include flaws that allow hackers to spy on encrypted connections. Using what’s known as a “man-in-the-middle” attack, hackers can make independent connections with victims and relay messages between them, leading them to believe they’re talking directly using a private connection.
The good news for business owners is the threat from these bugs is thought to be less serious than Heartbleed itself, and non-OpenSSL clients such as Internet Explorer, Firefox, Chrome on Desktop and iOS are not affected.
Still, security experts remain on high alert about the many applications that do run OpenSSL. Among other applications, vulnerable platforms include email clients, mobile applications, VPN clients, operating systems and routers.
This man-in-the-middle vulnerability "affects all client applications and devices that run OpenSSL when communicating to vulnerable servers," Nicholas Percoco, vice president of strategic services at vulnerability management firm Rapid7, told The Register. "This likely contains the majority of systems on the Internet given most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year."
If your company’s site uses OpenSSL, you can protect your software by updating to the newest versions.