Researchers have found a way to hack the OpenSSL verification software used in many VPNs and 
web servers with forged certificates.
The vulnerability affects a specific set of cryptographic X.509 keys known as PKCS #1 v1, and could allow an attacker to have a non-legitimate and forged certificate accepted as real, compromising and unpatched system.
Versions of the software from 0.9.7j to 0.9.8b are said to be at risk, and the open source project has recommended that anyone using the software should update it immediately.
"Implementations may incorrectly verify the certificate if they are not checking for excess data in the RSA exponentiation result of the signature," the advisory warns. Techworld.com - Crypto flaw found in OpenSSL
From around the Web
- Windows Vista Service Pack 2 Latest Release Schedule
- Vista SP2: What is inside?
- NetWitness releases free version of security software
- Three Reasons Why Users Won’t Buy Into Security
- Automated security testing & its limitations
- Google Wants to Preinstall Chrome Browser on PCs
- Mozilla warns of Firefox China add on
- Firefox No Longer an Automatic Defense Against Browser Drive Bys
- Google patches Chrome file stealing bug
- Apple plays catch up, adds anti fraud safeguard to Safari
- Researchers find vulnerability in Windows Vista
- How to Use Network Behavior Analysis Tools
- The insider security threat in IT and financial services
- Windows 7 security: An overall improvement?
- Windows 7 UAC could be less of a nag