With nearly 15,000 new vulnerabilities discovered in 2017, and even more expected this year – the competition for ‘worst vulnerability’ is a tough one to judge. The discovery of serious, severe or even critical vulnerabilities is a daily occurrence – and thus ranking them by level of infamy is an elusive challenge.
By way of example, this past June a severe vulnerability in Google Chrome, Mozilla Firefox and Microsoft Edge was discovered by a Google developer. The latest exploitation did not gain too much coverage despite its magnitude. Why? We suspect it’s due to the growing trend of ‘yet another exploitation is discovered.’ Let’s call it, exploitation fatigue, or cyber breach overload…. Fatigue, overload or whatever we call it, we can’t ignore the fact that recent years have seen the notable exploitation of a number of well-known vulnerabilities, some of which have been catastrophic for large organizations.
Here are what we consider to be the Top 7, listed from most recent to oldest. Were you able to remediate these in time? Consider yourself lucky.
1. DROWN – 2018
This is a newly-discovered vulnerability that also involves SSL/TLS. DROWN is short for “Decrypting RSA with Obsolete and Weakened eNcryption,” which might sound a little boring, but the damage it causes can be catastrophic. DROWN allows attackers to force some web servers to use an older, purposefully less secure version of SSL/TLS. By doing so, the attacker can more easily decrypt the older and weaker encryption, accessing data obtained in a classic man-in-the-middle (MITM) attack.
The DROWN attacks “…are the best natural experiment we have about the long-term damage to security that can come from deliberately weakening cryptography,” according to Nadia Heninger, a member of the DROWN attack research team an assistant computer and information science professor at the University of Pennsylvania.
2. EternalBlue – 2017
It’s not always the bad guys and security companies looking for vulnerabilities. Our second most recent vulnerability on this list, EternalBlue came to public attention in early 2017. The name refers to the vulnerability in Microsoft Windows, and the exploit developed by the National Security Agency. This exploit was leaked by a group of hackers known as the Shadow Brokers, and became the basis for the notorious WannaCry and NotPetya ransomware attacks in 2017.
EternalBlue exploits a vulnerability in a Windows transport protocol known as Windows Server Message Block. This protocol lets Windows-based machines communicate with each and with various connected devices. By controlling the protocol, attackers who exploit EternalBlue can effectively control any devices or computers connected to the targeted network.
3. Heartbleed – 2014
Heartbleed was the name given to critical vulnerability found in the OpenSSL cryptographic software library, which allowed stealing information protected by SSL/TLS encryption. Although this is not the origin of the bug’s name (it was named after the fatally-flawed “Heartbeat” patch to OpenSSL), Heartbleed literally struck at the heart of online commerce and communications – the security of information transferred between a client computer and a web server. SSL/TLS is used to secure everything – email, instant messaging, websites, and even some VPNs.
By compromising the secret keys that form the basis of SSL encryption, Heartbleed essentially allowed anyone to access and read systems protected by compromised versions OpenSSL. From 2012 (when the flawed patch was implemented) until 2014 (when the bug was made public), Heartbleed enabled attackers to steal data from servers, impersonate users or services, and listen in on private communications.
How bad was Heartbleed? ZDNet called it one of the worst vulnerabilities ever exploited and noted that “The pervasiveness of technology and our reliance on encryption, and SSL/TLS in particular, makes us sitting ducks for Heartbleed attackers, if there are any out there. On top of that, Heartbleed is a partly zero-day vulnerability; when the news broke, the fixes were in process, but far from complete.”
4. Shellshock – 2014
The Shellshock vulnerability affected nearly all versions of Linux and Unix, as well as Mac OS X (which is based on Unix), and enabled potential attackers to gain complete control over targeted computers and Linux-based routers with CGI-based web interfaces.
More specifically, Shellshock affected Bash, a commonly-used command language interpreter for Unix-based systems. Bash can also be controlled by applications that pass it commands, and the vulnerability enables attackers to add additional parameters to these commands, effectively forcing the server to run malicious code.
5. POODLE – 2014
POODLE is short for “Padding Oracle on Downgraded Legacy Encryption,” and was a man-in-the-middle exploit that took advantage – similar to Heartbleed – of a flaw in the SSL/TLS protocols. Like Heartbleed, this vulnerability potentially allowed attackers to completely compromise information transferred between a client computer and a web server – instant messaging, email, websites, and VPNs.
Thankfully, POODLE primarily targeted users of public Internet networks. “This attack is really against clients—you have to worry about it if you’re in a place like Starbucks…If you’re at home there’s probably no one man-in-the-middling you except the NSA. So as a home user, you don’t need to panic,” noted Rob Graham, CEO of Erratasec.
6. TimThumb – 2014
This vulnerability affected WordPress, which is today one of the leading Content Management Systems (CMS) in the world, with over 75 million users. This critical vulnerability was discovered in a well-known image resizing tool called TimThumb used by thousands of WordPress plugins and themes. The exploit allowed attackers to execute commands on a WordPress-powered website – creating, removing, or modifying any files on the server with a simple command.
7. @Kaminsky DNS Bug – 2008
Named after the security researcher who discovered it, this massive vulnerability affected almost every DNS server in the world. The vulnerability enabled would-be attackers to easily redirect visitors from legitimate websites to sites infected with malicious code or hijack almost any email account.
Caused by a design flaw, the Kaminsky DNS Bug enabled arbitrary DNS cache poisoning, also known as DNS spoofing, on a previously unimagined scale. DNS spoofing is when a hacker manages introduce corrupt Domain Name System data into a DNS cache, causing traffic to the domain being spoofed to be diverted to an IP address of the attacker’s choosing.
The Bottom Line
Disclosed vulnerabilities have been around for over a decade and the cost of data breaches and the effort to remediate them has doubled in recent years. Costs will continue to rise as the task becomes increasingly harder to address both in terms of the sheer number of vulnerabilities and the number of attackers. We won’t mince words – the vulnerability business is definitely not going away.