New OpenSSL flaw could leave some Android users open to decryption attack

OpenSSL, a technology that’s widely used to encrypt web sessions, has another major vulnerability. It’s not quite as severe as the Heartbleed flaw that got everyone so panicky a couple months back, but it’s serious enough to warrant some urgent patching and it could particularly affect Android(s goog) users.

The new flaw was revealed by the OpenSSL Foundation on Thursday after it was tipped off by researcher Masashi Kikuchi of Japanese security firm Lepidum. It allows so-called man-in-the-middle (MITM) attacks – in other words, if someone can get in between the user and the supposedly secure web service that person is trying to use, the interloper can pose as the web service and intercept, decrypt and manipulate the data being sent, without leaving a trace.

The Heartbleed flaw, by way of comparison, allowed anyone on the internet to tap into the targeted server’s memory in order to scoop up traffic, passwords and what have you. This time round – according to a podcasted interview with Mark Cox of the OpenSSL Foundation and Red Hat(s rht) — the attacker would need to do something like set up a fake Wi-Fi hotspot in a coffee shop, in order to dupe the user.

There are a few other conditions that would be needed for this MITM attack to work. Both the client and the server would need to be vulnerable; the client would be vulnerable in any version of OpenSSL, but the flaw is only known to make servers vulnerable in the relatively recent 1.0.1 and 1.0.2-beta1 versions. And as Cox pointed out in the podcast, OpenSSL isn’t often used in clients – except for in Google’s mobile operating system.

“Android is probably the one which is the biggest risk, because Android uses OpenSSL for its crypto,” Cox noted. That said, there is as yet no indication of this flaw being exploited, and the patches are ready now, both from server Linux vendors including Red Hat(s rhat) and Ubuntu and from the OpenSSL Foundation itself.

OpenSSL is very widely used, and the Heartbleed scare prompted the Linux Foundation and various vendors to put much-needed funding into an audit of the cryptographic software. However, many site administrators still haven’t applied the Heartbleed patch, meaning that vulnerability is still being exploited.