Security researchers discovered a 16-year-old bug and other new vulnerabilities in the commonly used OpenSSL encryption protocol that makes room for hacking and spying on encrypted communications between servers and clients.

Seven vulnerabilities were identified, of which two were considered critical by SANS Internet Storm Center, research says. 

Though these vulnerabilities were apparently not as serious as the Heartbleed bug found in April, the OpenSSL team quickly applied necessary security fixes into it, according to its security advisory.

Masashi Kikuchi of Lepidum Co. Ltd in Japan exposed the first vulnerability in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS), which he called CCS Injection Vulnerability in a blog post.

What’s alarming is the bug having existed since OpenSSL’s first release. Kikuchi reported the vulnerability on May 1 to the OpenSSL team.

“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem,” Kikuchi points out.

Adam Langley, who is a senior software engineer at Google, says in his personal blog that the earliest version of the OpenSSL was launched in December 1998, which makes the bug over 15 years old.

Regardless of the exact time frame, OpenSSL’s security advisory explained that said vulnerability can be exploited through a Man-in-the-middle (MITM) attack, wherein “the attacker can decrypt and modify traffic from the attacked client and server.” The attack, however, can only be pursued between vulnerable clients and servers.

Clients of OpenSSL are unfortunately vulnerable in all versions of the OpenSSL tool, while servers are vulnerable only in versions 1.0.1 and 1.0.2-beta1. Those users on OpenSSL servers with versions earlier than 1.0.1 should upgrade as precautionary measure.

Stephen Henson, from the OpenSSL core team, created the necessary fix for said vulnerability, which was grounded on an original patch coming from Kikuchi, the security advisory states.

Other vulnerabilities identified were DTLS recursion flaw that can lead to a DoS attack; DTLS invalid fragment vulnerability that can trigger a buffer overrun attack; SSL_Mode_Release_Buffers Null pointer dereference that can permit remote attackers to bring about a denial of service; SSL_Mode_Release_Buffers session injection or denial of service; Anonymous ECDH denial of service; and another issue described in “Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" report.

Even though the new vulnerabilities were not much of a threat as compared to the Heartbleed bug, security experts still advised to update systems so as there’s little room for any attack or exploits.

Since the discovery of the Heartbleed bug in April, security experts have become even more vigilant in looking for any similar threat or vulnerability that may compromise data and privacy. Further research reveals several major companies also have sent out their individual monetary pledges of $100,000 annually in the next three years to support the Core Infrastructure Initiative of the Linux Foundation. Said initiative will, in turn, support critical open-source infrastructure such as the OpenSSL.