AVG reveals yet another OpenSSL security flaw
OpenSSL, which runs on the servers for many websites, has been having a rough time in recent weeks. We all learned of the near fatal flaw named Heartbleed, which affected quite a number companies and services on the web.
Now a new, albeit less severe, flaw has been discovered. Security researchers at AVG have unveiled what they are calling CCS Injection, which the company terms a vulnerability, but points out that it is not easily taken advantage of.
"This new vulnerability requires complex effort for an attacker to successfully take advantage of the vulnerability. An attacker must intercept the connection between a client and a server, both of which need to be using the vulnerable version, and start what is referred to as a ‘Man in the Middle’ attack. In basic terms, the cybercriminal needs both to intercept you and the server you are connected to, and both parties have to have the vulnerability", says AVG's Tony Anscombe.
Given that most people are using a commercial browser, such as Chrome, Firefox or Internet Explorer, the majority of users are safe -- these browsers do not utilize OpenSSL, meaning they are not vulnerable to the attack.
However, AVG has still issued a security advisory, stating "Our advice to users is to not transfer critical information until you have confirmed that the issue has been fixed on the server you need to communicate with".