Security News > 2022 > November > The OpenSSL security update story – how can you tell what needs fixing?

The OpenSSL security update story – how can you tell what needs fixing?
2022-11-03 20:44

Windows has its own independently developed and maintained encryption library with the wacky name Cryptography API: Next Generation, so in theory you would not expect to have to worry about OpenSSL on Windows at all.

Dll in its System folder, which is a filename typically associated with OpenSSL. Intriguingly, that one turns out to be a false alarm, because it was compiled from the LibreSSL code, a similar but alternative cryptographic library from the OpenBSD team that is loosely compatible with OpenSSL, but doesn't have these bugs in it.

So.1.1 files over those in the app-specific directories mapping and zerobrane, that might not work well, given that the app might never have been tested with the latest OpenSSL library.

That's not an OpenSSL 1.1.1 or OpenSSL 3.0 DLL, so we wouldn't expect it to have the necessary function to show us its version number.

The OpenSSL code can be statically linked into Windows and Linux/Unix executable files, leaving no obvious.

In theory, you could search binary program files for identifying text strings that typically appear in OpenSSL's code when it's compiled, hoping to find the version number at the same time, but that's an error-prone process so we shan't cover it here.


News URL

https://nakedsecurity.sophos.com/2022/11/03/the-openssl-security-update-story-how-can-you-tell-what-needs-fixing/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 1 7 48 51 13 119