The 5 Most Dangerous Software Bugs of 2014

Dealing with the discovery of new software flaws, even those that leave users open to serious security exploits, has long been a part of everyday life online. But few years have seen quite so many bugs, or ones quite so massive. Throughout 2014, one Mothra-sized megabug after another sent systems administrators and users scrambling to remediate security crises that affected millions of machines.

Several of the bugs that shook the Internet this year blindsided the security community in part because they werent found in new software, the usual place to find hackable flaws. Instead, they were often in code thats years or even decades old. In several cases the phenomenon was a kind of perverse tragedy of the commons: Major vulnerabilities in software used for so long by so many people that it was assumed they had long ago been audited it for vulnerabilities.

The sentiment was that if something is so widely deployed by companies that have huge security budgets, it must have been checked a million times before, says Karsten Nohl, a Berlin-based security researcher with SR Labs who has repeatedly found critical bugs in major software. Everyone was relying on someone else to do the testing.

Each of those major bug finds in commonly used tool, he says, inspired more hackers to start combing through legacy code for more long-dormant flaws. And in many cases, the results were chilling. Heres a look at the biggest hacker exploits that spread through the research community and the worlds networks in 2014.

Heartbleed

When encryption software fails, the worst that usually happens is that some communications are left vulnerable. What makes the hacker exploit known as Heartbleed so dangerous is that it goes further. When Heartbleed was first exposed in April, it allowed a hacker to attack any of the two-thirds of Web servers that used the open source software OpenSSL and not merely strip its encryption, but force it to cough random data from its memory. That could allow the direct theft of passwords, private cryptographic keys, and other sensitive user data. Even after systems administrators implemented the patch created by Google engineer Neal Mehta and the security Codenomiconwho together discovered the flawusers couldnt be sure that their passwords hadnt been stolen. As a result, Heartbleed also required one of the biggest mass password resets of all time.

Even today, many vulnerable OpenSSL devices still havent been patched: An analysis by John Matherly, the creator of the scanning tool Shodan, found that 300,000 machines remain unpatched. Many of them are likely so-called embedded devices like webcams, printers, storage servers, routers and firewalls.

Shellshock

The flaw in OpenSSL that made Heartbleed possible existed for more than two years. But the bug in Unixs bash feature may win the prize for the oldest megabug to plague the worlds computers: It went undiscovered, at least in public, for 25 years. Any Linux or Mac server that included that shell tool could be tricked into obeying commands sent after a certain series of characters in an HTTP request. The result, within hours of the bug being revealed by the US Computer Emergency Readiness Team in September, was that thousands of machines were infected with malware that made them part of botnets used for denial of service attacks. And if that werent enough of a security debacle, US CERTs initial patch was quickly found to have a bug itself that allowed it to be circumvented. Security researcher Robert David Graham, who first scanned the Internet to find vulnerable Shellshock devices, called it slightly worse than Heartbleed.

POODLE

Read the original here:
The 5 Most Dangerous Software Bugs of 2014