OpenSSL may fail to detect forged digital signatures under certain conditions due to an error in the
implementation, a failure to check a certain condition while verifying the RSA signature. The flaw affects all systems that use the OpenSSL library, and in particular servers secured with SSL/TLS and VPNs based on SSL/TLS. OpenSSL versions 0.9.7k and 0.9.8c have eliminated the vulnerability.
The attack is only good against keys with exponent of 3. There are not too many of these around any more but you still run into them occasionally. It depends on an error in verifying the PKCS-1 padding of the signed hash. OpenSSL signatures can be forged - IT Observer
From around the Web
- How to Use Network Behavior Analysis Tools
- Apple updates Safari with 11 security fixes
- Mozilla fixes 11 Firefox flaws, six critical
- Google updates Chrome to third beta
- Firefox 3.1 beta arrives with JavaScript booster turned off
- The insider security threat in IT and financial services
- Windows 7 security: An overall improvement?
- Top 10 Network Security Threats
- Big leap in malicious Web sites
- Network security makes a quantum leap
- What is the Best Internet Browser to Surf the Web?
- Windows 7 UAC could be less of a nag
- Microsoft releases faster Desktop Search 4.0
- Vista users keen on SP1, but XP SP3 not so much
- Windows 7 Details In October, Microsoft Says