Five most dangerous software vulnerabilities in 2014

Source: Internet
Author: User
Tags openssl tls cve

Five most dangerous software vulnerabilities in 2014

Researchers in the security industry are searching for new software vulnerabilities every day, but for a long time there have not been so many vulnerabilities or the scope of their impact as in 2014. Looking back at the end of 2014, one heavyweight vulnerability after another followed by millions of affected devices, and the number of System Administrators and Users was getting crazy.

Several major security vulnerabilities discovered this year have shocked the entire Internet and left the security community alone, because they were not discovered in new software, instead, it was dug out from the old software that has been released for several or even decades. There are several vulnerabilities that can be said to be the tragedy of ordinary users, because after so many people have been using them for so long, people have always thought they are free of vulnerabilities.

"People always think that, software widely used by large companies with a lot of security budgets must have been checked many times. Everyone wants to be lazy and hopes that others will do the inspection work, as a result, no one has completed all the security checks."

He said that the major vulnerabilities found in the most commonly used tools this year indicate that hackers have begun to search for vulnerabilities that have been ignored for a long time in old software. In many cases, this will have astonishing consequences. Now let's talk about the security vulnerabilities that were rampant in communities and global networks in 2014.

Heartbleed

When the encryption software fails, the worst result is that some information may be leaked. However, when the heartbleed vulnerability is exploited by hackers, the consequences are much more serious.

When the heartbleed vulnerability was first exposed in April this year, hackers can use it to launch attacks on 2/3 of network servers around the world. Those servers use the open source software OpenSSL, And the heartbleed vulnerability exists in the software. With this vulnerability, hackers can not only crack the encrypted information, but also extract random data from the memory. In other words, hackers can exploit this vulnerability to directly steal passwords, private keys, and other sensitive user data of target users.

Google's (microblogging) engineer, Neal Mehta, and Codenomicon, the security company that found the vulnerability, developed the corresponding patch, even after the system administrator installed the patch, the user is still not sure whether their password is stolen. Therefore, the heartbleed vulnerability has contributed to the largest password change operation in history.

Even today, vulnerabilities in OpenSSL on many devices have not been completed. John Matherly, inventor of Shodan's scanning tool software, found that 0.3 million servers are still not installed with heartbleed patches, many of these devices may be so-called "embedded devices", such as network cameras, printers, storage servers, routers, and firewalls.

OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)

Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian

OpenSSL "heartbleed" Security Vulnerability

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

OpenSSL Heartbleed vulnerability upgrade method

Shellshock

 

The vulnerabilities in OpenSSL software have existed for more than two years, but one of the Unix "entry subroutine" features has the longest vulnerability, it has been detected for at least 25 years. Any Linux or Mac server installed with this shell tool may be attacked.

As a result, after the US computer emergency response team announced the vulnerability in September, tens of thousands of machines were under DoS attacks from malware in less than a few hours. However, the disaster did not end. The patch released by the US computer emergency response team was soon discovered to have a vulnerability. The first security researcher to scan the Internet to find vulnerable Shellshock devices, Robert David Graham, said the vulnerability was worse than a heartbleed vulnerability.

Gitlab-shell is affected by Bash CVE-2014-6271 Vulnerability

Linux security vulnerability exposure Bash is more serious than heartbleed

The solution is to upgrade Bash. Please refer to this article.

Bash remote parsing command execution vulnerability Test Method

Bash vulnerability latest patch installation tutorial [Download]

Shellshock

POODLE

Just six months after the heartbleed vulnerability struck the world's encryption server, Google's researchers discovered another encryption vulnerability. This vulnerability is located at the other end of Security Software Protection: PCs and mobile phones connected to those servers.

The POODLE vulnerability in SSL 3.0 allows attackers to hijack user sessions and steal all data transmitted between users' computers and encrypted online services. Unlike the heartbleed vulnerability, a hacker can use the POODLE vulnerability to initiate an attack on the same network as the target. This vulnerability threatens users who open the Wi-Fi network, for example, Starbucks customers.

Gotofail

The heartbleed and Shellshock vulnerabilities have shaken the security community so that people may forget the most important vulnerability Gotofail discovered in 2014. The Gotofail vulnerability only affects Apple users.

On June 18, February this year, Apple announced that users' encrypted network data may be intercepted by others on the same local network, this is mainly because of an error in the "transfer" command in the software code that manages OSX and iOS to execute SSL and TLS encryption.

Unfortunately, apple only released a patch for iOS instead of OSX. That is to say, Apple's announcement of this vulnerability completely puts its desktop computer users under attack at any time. This mistake even aroused the company's own previous security engineer to send a blog article to kill it.

Christin Paget wrote: "didn't you think of other platforms when you release SSL patches to one of your platforms? When I was using my Mac, I was always under attack, and now I still have to watch and do nothing. What the fuck are you doing, cute apple ??!?!!"

BadUSB

 

The most sinister attack discovered in 2014 did not rely on any security vulnerabilities in any software, so it cannot be repaired through patches. This attack was first demonstrated by Google researcher Karsten Nohl at the Black Hat Security Conference in September. It relied on an insecure factor inherent in USB devices.

Because the firmware of a USB device can be rewritten, hackers can write malicious software to intrude into the USB controller chip, rather than the flash memory that security software typically scans during virus detection. For example, a USB flash drive may contain a malicious file that cannot be detected by security software. It will destroy files on the USB flash drive or simulate keyboard operations, and quietly inject various commands into your machine.

About half of the USB chips can be rewritten, so half of the USB devices will be attacked by BadUSB. However, USB equipment vendors have not published which chip they are using and often change vendors. Therefore, users cannot know which devices will be attacked by BadUSB.

Noor says the only way to protect against this attack is to use USB devices as "disposable syringes" and never share them with others or insert them into untrusted machines.

Noor believes that this attack method will cause serious consequences, so he refused to disclose the corresponding verification concept code. But a month later, another group of researchers published their own reverse-derived attack code, forcing chip vendors to solve the problem. It is hard to say whether someone has used the code to launch an attack, which means that the numerous USB devices used by people around the world are no longer safe.

This article permanently updates the link address:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.