NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Gird your loins, sysadmins: The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent. (And indeed so it turned out to be - the Poodle vuln. You heard it here first. - Ed)
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or not far from high noon Pacific Time.
Details of the problem are under wraps, purportedly due to the severity of the vulnerability. El Reg cannot confirm whether or not it is indeed a serious bug as we have not received details of the vuln.
To that end, it is unknown what platforms were impacted, but as SSL is very widely used, any flaw will require plenty of urgent attention – and probably be unwelcome news to a tech community already reeling from the recent Shellshock vulnerability in Bash and the Heartbleed flaw.
The SSL flaw won't be the only thing keeping security bods and system administrators busy. A dangerous worm has been discovered exploiting a zero-day flaw (CVE 2014-4114) in all versions of Microsoft Windows and Server 2008 and 2012.
The Register will provide more information on the flaws as we hear more. ®