Before Heartbleed: Worst vulnerabilities ever?

Before Heartbleed: Worst vulnerabilities ever?

Summary: There have been some pretty bad vulnerabilities before Heartbleed. Is it really any more severe than CodeRed or Blaster?

SHARE:
32

 |  Image 10 of 15

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Thumbnail 9
  • Thumbnail 10
  • Thumbnail 11
  • Thumbnail 12
  • Thumbnail 13
  • Thumbnail 14
  • Thumbnail 15
  • The other OpenSSL problem

    Ten to fifteen years ago, before there was awareness enough to create Heartbleed-level hysteria, some really horrible vulnerabilities in really important software would go relatively unnoticed.

    CVE-2002-0656 is one of a few remote code execution vulnerabilities from that era in Apache web servers and OpenSSL — yes, the same OpenSSL implicated in Heartbleed. It was found by well-known researcher Alexander Sotirov who demonstrated how to use it to gain a shell, meaning code execution capability, on Apache/OpenSSL web servers and a root shell on some servers.

  • billy gates why do you make this possible ?

    Blaster, also known as MSblast, LovSAN and a few other names, was the first of a series of persistent worms using remotely-exploitable Windows vulnerabilities to spread. Microsoft first released the update for the vulnerability used by it in July of 2003 and everyone knew the race was on to create a worm with the flaw, a buffer overflow in the DCOM RPC procedures, a protocol for remote program calls over the network.

    Blaster appeared first in August. The Chinese authors of the A variant built it by reverse-engineering the Windows patch. The executable contained many inexplicable and taunting statements, such as the one pictured here. Blaster was buggy and frequently caused system shutdowns.

    Unusually for these things, the author of the B variant was caught. He was an 18 year old from Minnesota and he received an 18 month prison sentence.

    Image: Wikipedia

  • Sasser, the buggy botnet

    MS04-011 was one of those "uh-oh" Patch Tuesday releases. Experts looked at CAN-2003-0533 ("a Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME") and immediately knew a worm was on its way.

    Blaster had paved this trail months before and Sasser followed the script. By the end of the month that worm, Sasser, appeared on the scene. Sasser was also distinguished by its bugginess. It caused system shutdowns of the sort pictured here.

    Just as with Blaster, the author of Sasser, an 18 year-old German, was caught. Because he was a minor when he wrote it he was treated as one and received a suspended sentence.

Topics: Security, iPhone, Linux, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

Talkback

32 comments
Log in or register to join the discussion
  • We don't really know how it ranks yet

    Because it's very unclear as to how much it's been exploited. Code Red (which I'm sure MS-boosters would like us to forget about) made it very obvious where it hit; so did Blaster; so did Melissa. Thus far, the threat of Heartbleed has been almost entirely theoretical.

    But I'm pretty sure investigators are still working on it.
    John L. Ries
    • Don't forget

      For years MS was warned not to allow autorun but did they listen ?
      Nope, not until users were hammered.
      Alan Smithie
    • You're right.

      And I'm certain Anti MS-boosters will do their best to stop anyone from finding out just how bad this really turns out to be.
      William.Farrel
      • 2 security problems in the last 15 years or so...

        ,,,and OpenSSL and by extension, every other open source package in existence becomes anathema as we forget all about the past security problems of certain "successful companies"? Give me a break!
        John L. Ries
    • The disruption it is causing simply because we do not know is enough.

      IMO, the impact it is having is huge even if it never is exploited. You just don't know if your password is safe anymore unless you have a very limited set of accounts. Especially from an IT perspective this is huge.
      MeMyselfAndI_z
  • Anyone else find it ironic the author of Blaster would ask...

    ...Bill Gates to fix his software but Blaster was the direct result of engineering they very fix the author requested?
    ye
  • depends on how you view worst

    The most number of systems affected?

    Cost of cleaning up effects of the problem both direct and indirect. Time, money, #users ...

    Most of the older types were nuisance varieties... maybe they defaced a site, created a denial of service, caused embarrassment if that's really possible in that while people talked about it no one targeted actually seems embarrassed because they just dont feel it.

    So number of systems... seems like OpenSSL is in the running for top honors.
    Number of people impacted... seems like OpenSSL is in the running for top honors.
    Cost of remediation ... seems like OpenSSL is in the running for top honors.
    Cost of damage caused ... we wont know this one for a while but due to the nature potentially OpenSSL is in the running for top honors.

    Yeah, its likely the worst.
    greywolf7
    • You don't know the answer to ANY of the criteria you listed, but

      still concluded it to likely be the worst.
      baggins_z
    • Your post is all assumution, no reality.

      Many systems affect, but so far, zero documented cases of exploits.
      Number of people impacted: So far, zero, as no reported stolen info to date.
      Cost of to repair, not much, since its just a update to openssl, and renewed certs, both of which happen regularly any ways.

      Is the worst? Not by a long shot.
      anothercanuck
    • number of systems and devices

      Google CloudSQL is currently being patched, users need to update OpenSSL on each running instance on Google Compute Engine
      Google Search Appliance is currently being updated...
      Google says Android 4.1.1 is vulnerable. Or 34% of the over 1 Billion devices... 340 million.

      Multiple Cisco Products 16 are confirmed vulnerable while 65 others are being investigated.
      Multiple Juniper products are vulnerable,
      Multiple F5 products are vulnerable
      Multiple Linux Distributions are vulnerable
      Netcraft says Half a Million web sites are vulnerable
      BBM on ios and Android is vulnerable... over 40 million.

      Looks like it could easily be over a billion.
      greywolf7
      • So NOW you accept that Linux based systems

        have over a billion users?

        :)
        jessepollard
      • Multiple Linux Distributions ARE vulnerable?

        Really? Or just speculation? My distro was auto-patched the same day the news broke and I am sure all the other major distros were as well. The patch is trivial, simply disable heartbeat feature, recompile and ship out the resulting binary.

        In the case of the web appliance products, the problem ONLY affects remote access. The easy fix is to turn off remote access until the system is patched or replaced. Inconvenient yes. Huge security problem no.

        In the case of those half million websites, most of them were probably vulnerable to plenty of other exploits because of the way they are admined. If server admins don't patch or use flaky Linux distros that don't take security seriously there will be problems. Any server admin who ignores a security related patch for ANY reason is not doing his or her job. Its that simple.

        Android problems, if they exist, are Google and/or hardware vendor problems, not open source problems. Linux systems were patched in no time. Android should be just as responsive at least. In fact Android should be more responsive since, unlike Linux distros which are fully open source, Android has big pocket support from Google and hardware vendors. So the fact that it is slower (if indeed it is) is actually evidence that pure open source is more responsive to problems like this than corporate software management.
        George Mitchell
        • Really? Or just speculation?

          Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
          •Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
          •Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
          •CentOS 6.5, OpenSSL 1.0.1e-15
          •Fedora 18, OpenSSL 1.0.1e-4
          •OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
          •FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
          •NetBSD 5.0.2 (OpenSSL 1.0.1e)
          •OpenSUSE 12.2 (OpenSSL 1.0.1c)

          Android is a vendor problem not an open source problem... LOL. because they included Open SSL just like all those other SAPS that got bit.

          You sound like a denier... Fingers in ears La la la la la la


          Oh, go ahead and deny it because those BSD distributions are not Linux.
          greywolf7
          • shipped with is different from speed of patches!!

            Hi :)
            The length of time it took for patches to appear is more relevant than the unknown issue existing in shipped products. The speed and willingness of people to apply the patches shows a huge differential between OpenSource users and people using proprietary systems.

            The article clearly shows that a problem with proprietary systems still exists years after patches were released because users have no trust in and see no value in applying the patches. The OpenSource world has learned that patches tend to be goodies and patched quite quickly.

            Regards from
            Tom :)
            Tom6
          • Interesting that you included Fedora 18

            Fedora 18 reached End-Of-Life *months* ago, when Fedora 20 was released. Both Fedoras 19 and 20 have been patched, of course.

            Do you have *any* idea how many people are still running Fedora 18? Personally, I upgraded all of my Fedora 18 boxes as soon as Fedora *19* was released!
            Zogg
        • do your homework George

          Android problems, if they exist...
          http://www.cnet.com/how-to/how-to-tell-if-your-android-device-is-vulnerable-to-heartbleed/

          Android should be just as responsive at least. In fact Android should be more responsive ... So the fact that it is slower (if indeed it is) ....
          http://www.zdnet.com/heartboned-why-google-needs-to-reclaim-android-updates-7000028331/


          evidence that pure open source is more responsive to problems like this than corporate software management.

          http://www.zdnet.com/openssl-needs-corporate-funding-to-avoid-heartbleed-repeat-7000028385/

          Nobody ever again can trust the "Peer Review" meme. Heartbleed is a knife in the heart of FOSS.
          greywolf7
    • Not sure about that...

      The "I love you" mail worm was one of the most widespread in damage.

      EVERY mail server got hammered - for days. Even systems that weren't vulnerable had to deal with it.
      jessepollard
  • Missing the Debian certificate entropy fiasco!

    Another Linux failure that affected Debian as well as derivatives such as Ubuntu.

    That's slightly comparable to Heartbleed in the sense that it *also* meant that a HUGE number of certificates had to be revoked and new one acquired.

    http://www.scribd.com/doc/23213043/Re-issuing-certificates-from-the-2008-Debian-OpenSSL-Vulnerability
    honeymonster
    • Linux Failure?

      OpenSSL can be used on Linux, Mac, Windows, Unix, and more.
      anothercanuck
      • And...

        ...its home OS isn't a Linux distro at all. It's OpenBSD; distributed under the MS-approved BSD license (ie. it's genetic UNIX, not Linux). OpenBSD's GNU equivalent is GNUTLS.
        John L. Ries