OpenSSL Vulnerability Not 'Critical' Anymore
Much-anticipated vulnerabilities in an open source cryptography library used for digital certificates aren't as dire as feared, with the open source foundation behind the application downgrading its severity from "critical" to "high."
The last time the OpenSSL team, which maintains an application ubiquitous in connected devices for encrypting and decrypting data as it travels across networks, announced a critical patch, it was in 2014 and the vulnerability was Heartbleed.
Security teams primed for a slog of emergency patching today instead are reacting with relief. "I don't think we'll be doing overtime this afternoon," said Chester Wisniewski, Sophos principal research scientist. OpenSSL warned last Tuesday's it would issue impending critical patch today. Major web browsers including Google's Chrome and the Mozilla Foundation's Firefox stopped using OpenSSL after Heartbleed, with Google migrating to a fork it dubbed BoringSSL. Other versions of SSL appear unaffected.