2 of 15Image
Heartbleed: Living the nightmare
With the mainstream media and general public now used to big tech stories, Heartbleed may be the most famous software vulnerability in history. Is it the worst ever?
It's up there. The pervasiveness of technology and our reliance on encryption, and SSL/TLS in particular, makes us sitting ducks for Heartbleed attackers, if there are any out there. On top of that, Heartbleed is a partly zero-day vulnerability; when the news broke, the fixes were in process, but far from complete.
And the consequences of Heartbleed are widespread. It may be that every SSL digital certificate needs to be reissued. You may need to change most, maybe all of your passwords. These things take time, and while they're taking their time we're open to attack.
In this gallery we have collected 15 of the most severe vulnerabilities in tech history. All the vulnerabilities are in software. One purely hardware vulnerability suggested to us — the thermal exhaust port on the Death Star — was deemed out of scope, even though it was a relatively critical bug.
SQL Slammer is the undisputed speed champion for vulnerabilities. With a tiny payload and through the magic of UDP, it spread across the world in a matter of minutes on January 25, 2003. (How tiny? The picture above is a complete disassembly of the worm, with comments added!)
The actual vulnerabilities exploited, multiple buffer overflows in the Resolution Service for Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE), had been patched months before by Microsoft, but there wasn't quite the sense of urgency back then that there is now about applying updates.
The breathtaking speed with which Slammer hit created fear of similar future attacks, but fortunately it was not to be. Slammer isn't the only worm we've had, but it's the only one that crossed the globe before anyone knew what was going on.
Image: Disassembly of Slammer worm, courtesy Immunity, Inc.
The Morris Worm
Just six months ago we celebrated the 25th anniversary of the Morris Worm. By today's standards the raw number of systems affected — 6,000 — is not impressive. It looks different when you see that there were only 60,000 systems on the entire Internet on November 2, 1988.
Yes, Robert Morris, then a student at Cornell, brought down 10 percent of the entire Internet, and he did it by accident. Morris wrote a worm program as a selfish intellectual experiment. Exploiting known vulnerabilities in Unix sendmail, finger, and rsh/rexec, as using a list of weak passwords with which to access accounts, it attempted to span the entire Internet. But a bug in the worm turned it instead into a massive distributed denial of service attack against the entire Internet.
Computer security was an academic issue before the Morris worm. After November 2, 1988 it became very real.