The world is about to get another reminder of just how important free open-source projects are that are maintained by a small amount of coders with a tiny budget. OpenSSL, the software used by hundreds of thousands of companies to encrypt communications is set to release a large security patch this week. The OpenSSL team announced the company plans to release a new version, fixing a number of security weaknesses, including some vulnerabilities marked at “high” severity.
OpenSSL is deployed by countless organizations, including the worlds most popular websites like Facebook, Google, Yahoo, financial institutions and even U.S. federal government networks. OpenSSL implements Secure Socket Layer (SSL) encryption, also known as transport layer security or (TLS) for websites and associated networks, ensuring data cannot be intercepted and read by unknown parties.
The new set of patches OpenSSL plans to deploy within the next week will likely have security teams in a daze, racing to patch their OpenSSL versions. This is because security patches give cybercriminals a job to find unpatched versions that are vulnerable to exploits, trying to abuse them to steal information and breach networks.
The OpenSSL project plans to push the update public Thursday, March 19, yet the organizations is staying silent about details the patch is set to fix. A founding partner at the OpenSSL foundation, Steve Marquess, said OpenSSL will share information about the patches in advance with major operating vendors utilizing the software, but no else for the time being.
Advance notices not only help companies work to protect your data, but attackers as well. Last year cybercriminals were happy to hear of the severe Heartbleed bug, a critical flaw in OpenSSL that allowed anyone to decrypt data, extract passwords, cookies and swaths of other sensitive data that my have been on networks running vulnerable versions of OpenSSL.
In wake of the Heartbleed bug, many organizations questioned how such a severe vulnerability could have gone undetected in the open-source code for so long. Marquess took to his blog explaining the blunder, saying the company needs additional financial support for OpenSSL, stating a scary truth the security community often forgets, that so much of the Internet runs off free, open-source software that is maintained by a tiny team with a less than optimal budget.
Marquess continued on to say the mystery is not that the team missed the bug, the mystery remains why it hasn’t occurred more often. Marquess said the updates coming tomorrow are due to the influx of donations the project has received in wake of the Heartbleed bug.
The Heartbleed bug spawned a new initiative for corporate web giants to help under-funded projects, with Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcom, Rackspace and VMware all being on board to pledge a minimum of $100,000 a year for at least the next three years to the “Core Infrastructure Initiative,” a Linux Foundation Executive said. Saying that the $3.9 million in funding the foundation receives will be distributed among various free open-source projects.
“We have four people working full-time on OpenSSL doing just what needs to be done, as opposed to working on stuff that brings in revenue,” Marquess said speaking to KrebsonSecurity. “We have a lot more manpower resources, and one of the reasons you’re seeing all these bug and vulnerability fixes coming out now is that not only are outsiders looking for problems but we are too. “We’re also doing a major overhaul of the source code, in conjunction with what is going to be probably the biggest crypto audit ever.”