Face the Discovering new software flaws, even those that leave users exposed to serious security breaches, has long been a part of everyday life online. But few years have seen so many bugs, or such massive bugs. Throughout 2014, one Mothra-sized megabug after another sent system administrators and users scrambling to address security crises that plagued millions of machines.
Several of the bugs that rocked the internet this year have blinded the security community in part because they weren’t found in new software, the usual place to find hackable vulnerabilities. Instead, they were often in code that was years or even decades old. In many cases, the phenomenon was some sort of perverse tragedy of the commons: major vulnerabilities in software that had been used for so long by so many people that it was assumed they had long been audited for vulnerabilities.
“The feeling was that if something is so widely deployed by companies that have huge security budgets, it must have been verified a million times before,” says Karsten Nohl, a Berlin-based security researcher with SR Labs which repeatedly found critical bugs in major software. “Everyone was relying on someone else to do the tests.”
Each of these major bugs found in commonly used tools, he says, has inspired more hackers to start combing through legacy code for longer dormant vulnerabilities. And in many cases, the results have been frightening. Here’s a look at some of the biggest hacker exploits that swept through the research community and global networks in 2014.
When encryption software fails, the worst that usually happens is that some communications remain vulnerable. What makes the hacker feat known as Heartbleed so dangerous is that it goes further. When Heartbleed was first exposed in April, it allowed a hacker to attack one of two-thirds of the web servers that were using open source software OpenSSL and not only to remove its encryption, but to force it. coughing up random data from memory. This could allow the direct theft of passwords, private cryptographic keys, and other sensitive user data. Even after system administrators implemented the patch created by Google engineer Neal Mehta and Codenomicon security code — which together discovered the flaw — users couldn’t be sure their passwords had not been stolen. As a result, Heartbleed also required one of the biggest mass password resets of all time.
Even today, many vulnerable OpenSSL devices still have not been patched: An analysis by John Matherly, the creator of the Shodan scan tool, found that 300,000 machines were still not patched. Many of them are probably “onboard devices” like webcams, printers, storage servers, routers, and firewalls.
The flaw in OpenSSL that made Heartbleed possible had existed for over two years. But the Unix “bash” bug could win the prize for the oldest megabug to infest the world’s computers: it has not been discovered, at least in public, for 25 years. Any Linux or Mac server that includes this shell tool could be tricked into obeying commands sent after a certain string of characters in an HTTP request. The result, hours after the bug was revealed by the US computer emergency preparedness team in September, was that thousands of machines were infected with malware that integrated them into botnets used for denial of the attacks. service. And if that wasn’t enough for a security debacle, the initial US CERT patch was quickly found to contain a bug itself that worked around it. Security researcher Robert David Graham, who first scanned the internet for vulnerable Shellshock devices, called it “slightly worse than Heartbleed.”