Vague security bulletin is vague

Imagine being told that you're in danger for the next couple of days and that there's nothing you can do about it but sit tight and wait it out. Talk about suckage. Well, that's essentially what the OpenSSL Project just did, though there's a reason behind it. The OpenSSL Project announced plans to plug up several security holes, including one that's classified as "high severity," in a series of updates scheduled for March 19.
Those security updates will be included in several new versions of OpenSSL -- 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf. They'll address a "number of security defects," though if you're wondering what they are, the OpenSSL Project isn't saying. We assume that's to keep black hat hackers in the dark while the group patches whichever vulnerabilities it found.
Nevertheless, it's a bit unnerving to know there's a high severity OpenSSL security hole that will exist for the next couple of days, especially after incidents like Heartbleed caught the Internet at large with its pants around its ankles, and more recently FREAK (Factoring attack on RSA-EXPORT Keys). To say it's been a rough year for OpenSSL is an understatement.
The good news here is that OpenSSL's security should significantly improve over time. Companies like Cisco and IBM, to name just two of several, are funding the Core Infrastructure Initiative, a $2 million per year project dedicated to supporting and auditing open-source projects like OpenSSL.
Image Credit: Flickr (Brian Rinker)
Follow Paul on Google+, Twitter, and Facebook


More...