The CCS Injection Vulnerability
The CCS Injection Vulnerability was discovered in June 2014. According to a security advisory issued by Zimbra "an attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server".
The important thing to note about the CCS Injection Vulnerability is that is requires both the server and the client to be running versions of OpenSSL that have not been patched against the vulnerability. So, if either party involved in the SSL/TLS-encrypted data exchange has been patched against the vulnerability then the flaw cannot be exploited.
In that sense, while a significant issue, its impact is not likely to be a great as Heartbleed's.
How do you know if you're Vulnerable?
Any system that is using an unpatched version of OpenSSL is vulnerable to Heartbleed and the CCS Injection Vulnerability.
A fix for Heartbleed was issued on the same day that it was made public. The patched version is designated 1.0.1g.
One of the challenges that you're faced with when looking at Heartbleed and the CCS Injection Vulnerability is understanding where your points of weakness really are.
If you have developed or deployed your own systems using OpenSSL then you need to patch them. Third party applications and some operating systems are also vulnerable.
As well as reviewing your internal systems, it's critical that you check all of your key service providers.
By now, most major SaaS providers have updated their systems. But carrying out thorough due diligence means checking more than just paperwork.
You should carry out your own testing of external providers.
There's a handy detection tool, created by Trend Micro, so you can test your service providers for Heartbleed vulnerability.
Although end user systems weren't the primary focus of Heartbleed that doesn't mean they weren't vulnerable. Systems running Windows aren’t affected as they don’t use OpenSSL. Apple's OS X was similarly unaffected but for different reasons. Although OS X, which is based on Unix, uses OpenSSL, it uses version 0.9.8 rather than the vulnerable 1.0.1.
Android devices running 4.1.1 carry the Heartbleed flaw unless they've been specifically patched. Lacoon Mobile security has produced a video showing what it looks like when Heartbleed is exploited on an affected Android device.