Before Heartbleed: Worst vulnerabilities ever?

Before Heartbleed: Worst vulnerabilities ever?

Summary: There have been some pretty bad vulnerabilities before Heartbleed. Is it really any more severe than CodeRed or Blaster?


 |  Image 3 of 15

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Thumbnail 9
  • Thumbnail 10
  • Thumbnail 11
  • Thumbnail 12
  • Thumbnail 13
  • Thumbnail 14
  • Thumbnail 15
  • SQL Slammer

    SQL Slammer is the undisputed speed champion for vulnerabilities. With a tiny payload and through the magic of UDP, it spread across the world in a matter of minutes on January 25, 2003. (How tiny? The picture above is a complete disassembly of the worm, with comments added!)

    The actual vulnerabilities exploited, multiple buffer overflows in the Resolution Service for Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE), had been patched months before by Microsoft, but there wasn't quite the sense of urgency back then that there is now about applying updates.

    The breathtaking speed with which Slammer hit created fear of similar future attacks, but fortunately it was not to be. Slammer isn't the only worm we've had, but it's the only one that crossed the globe before anyone knew what was going on.

    Image: Disassembly of Slammer worm, courtesy Immunity, Inc.

  • The Morris Worm

    Just six months ago we celebrated the 25th anniversary of the Morris Worm. By today's standards the raw number of systems affected — 6,000 — is not impressive. It looks different when you see that there were only 60,000 systems on the entire Internet on November 2, 1988.

    Yes, Robert Morris, then a student at Cornell, brought down 10 percent of the entire Internet, and he did it by accident. Morris wrote a worm program as a selfish intellectual experiment. Exploiting known vulnerabilities in Unix sendmail, finger, and rsh/rexec, as using a list of weak passwords with which to access accounts, it attempted to span the entire Internet. But a bug in the worm turned it instead into a massive distributed denial of service attack against the entire Internet.

    Computer security was an academic issue before the Morris worm. After November 2, 1988 it became very real.

    Image: Wikipedia

  • Conficker: Still botting after all these years

    On Thursday, October 23, 2008 (yes, it was "out of band"), Microsoft published MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution. This was one of the really bad ones in that a remote user could gain administrator control of a PC and turn it into a bot. The word went out that it was important to apply the update, but you know how people are; security firm Qualys estimated that in January 30% of vulnerable PCs were still unpatched.

    It was almost a month later that the first variant of Conficker, also known as Downadup and which spawned the great Waledac spam botnet, was detected. Conficker was — make that "is" because it's still alive — pretty sophisticated malware. It was capable of updating itself and was one of the principal bots to spread via file shares and USB drives.

    In Europe the spread was particularly severe, affecting the military networks in France, the UK and Germany. It spread to over 200 countries and became one of the largest botnets ever.

    In fact, Conficker would be blocked by decent firewall rules as well as the update. The fact that it spread so far and still lives shows just how widespread bad configurations are.

    Image: The Conficker Working Group

Topics: Security, iPhone, Linux, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories


Log in or register to join the discussion
  • We don't really know how it ranks yet

    Because it's very unclear as to how much it's been exploited. Code Red (which I'm sure MS-boosters would like us to forget about) made it very obvious where it hit; so did Blaster; so did Melissa. Thus far, the threat of Heartbleed has been almost entirely theoretical.

    But I'm pretty sure investigators are still working on it.
    John L. Ries
    • Don't forget

      For years MS was warned not to allow autorun but did they listen ?
      Nope, not until users were hammered.
      Alan Smithie
    • You're right.

      And I'm certain Anti MS-boosters will do their best to stop anyone from finding out just how bad this really turns out to be.
      • 2 security problems in the last 15 years or so...

        ,,,and OpenSSL and by extension, every other open source package in existence becomes anathema as we forget all about the past security problems of certain "successful companies"? Give me a break!
        John L. Ries
    • The disruption it is causing simply because we do not know is enough.

      IMO, the impact it is having is huge even if it never is exploited. You just don't know if your password is safe anymore unless you have a very limited set of accounts. Especially from an IT perspective this is huge.
  • Anyone else find it ironic the author of Blaster would ask...

    ...Bill Gates to fix his software but Blaster was the direct result of engineering they very fix the author requested?
  • depends on how you view worst

    The most number of systems affected?

    Cost of cleaning up effects of the problem both direct and indirect. Time, money, #users ...

    Most of the older types were nuisance varieties... maybe they defaced a site, created a denial of service, caused embarrassment if that's really possible in that while people talked about it no one targeted actually seems embarrassed because they just dont feel it.

    So number of systems... seems like OpenSSL is in the running for top honors.
    Number of people impacted... seems like OpenSSL is in the running for top honors.
    Cost of remediation ... seems like OpenSSL is in the running for top honors.
    Cost of damage caused ... we wont know this one for a while but due to the nature potentially OpenSSL is in the running for top honors.

    Yeah, its likely the worst.
    • You don't know the answer to ANY of the criteria you listed, but

      still concluded it to likely be the worst.
    • Your post is all assumution, no reality.

      Many systems affect, but so far, zero documented cases of exploits.
      Number of people impacted: So far, zero, as no reported stolen info to date.
      Cost of to repair, not much, since its just a update to openssl, and renewed certs, both of which happen regularly any ways.

      Is the worst? Not by a long shot.
    • number of systems and devices

      Google CloudSQL is currently being patched, users need to update OpenSSL on each running instance on Google Compute Engine
      Google Search Appliance is currently being updated...
      Google says Android 4.1.1 is vulnerable. Or 34% of the over 1 Billion devices... 340 million.

      Multiple Cisco Products 16 are confirmed vulnerable while 65 others are being investigated.
      Multiple Juniper products are vulnerable,
      Multiple F5 products are vulnerable
      Multiple Linux Distributions are vulnerable
      Netcraft says Half a Million web sites are vulnerable
      BBM on ios and Android is vulnerable... over 40 million.

      Looks like it could easily be over a billion.
      • So NOW you accept that Linux based systems

        have over a billion users?

      • Multiple Linux Distributions ARE vulnerable?

        Really? Or just speculation? My distro was auto-patched the same day the news broke and I am sure all the other major distros were as well. The patch is trivial, simply disable heartbeat feature, recompile and ship out the resulting binary.

        In the case of the web appliance products, the problem ONLY affects remote access. The easy fix is to turn off remote access until the system is patched or replaced. Inconvenient yes. Huge security problem no.

        In the case of those half million websites, most of them were probably vulnerable to plenty of other exploits because of the way they are admined. If server admins don't patch or use flaky Linux distros that don't take security seriously there will be problems. Any server admin who ignores a security related patch for ANY reason is not doing his or her job. Its that simple.

        Android problems, if they exist, are Google and/or hardware vendor problems, not open source problems. Linux systems were patched in no time. Android should be just as responsive at least. In fact Android should be more responsive since, unlike Linux distros which are fully open source, Android has big pocket support from Google and hardware vendors. So the fact that it is slower (if indeed it is) is actually evidence that pure open source is more responsive to problems like this than corporate software management.
        George Mitchell
        • Really? Or just speculation?

          Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
          •Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
          •Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
          •CentOS 6.5, OpenSSL 1.0.1e-15
          •Fedora 18, OpenSSL 1.0.1e-4
          •OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
          •FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
          •NetBSD 5.0.2 (OpenSSL 1.0.1e)
          •OpenSUSE 12.2 (OpenSSL 1.0.1c)

          Android is a vendor problem not an open source problem... LOL. because they included Open SSL just like all those other SAPS that got bit.

          You sound like a denier... Fingers in ears La la la la la la

          Oh, go ahead and deny it because those BSD distributions are not Linux.
          • shipped with is different from speed of patches!!

            Hi :)
            The length of time it took for patches to appear is more relevant than the unknown issue existing in shipped products. The speed and willingness of people to apply the patches shows a huge differential between OpenSource users and people using proprietary systems.

            The article clearly shows that a problem with proprietary systems still exists years after patches were released because users have no trust in and see no value in applying the patches. The OpenSource world has learned that patches tend to be goodies and patched quite quickly.

            Regards from
            Tom :)
          • Interesting that you included Fedora 18

            Fedora 18 reached End-Of-Life *months* ago, when Fedora 20 was released. Both Fedoras 19 and 20 have been patched, of course.

            Do you have *any* idea how many people are still running Fedora 18? Personally, I upgraded all of my Fedora 18 boxes as soon as Fedora *19* was released!
        • do your homework George

          Android problems, if they exist...

          Android should be just as responsive at least. In fact Android should be more responsive ... So the fact that it is slower (if indeed it is) ....

          evidence that pure open source is more responsive to problems like this than corporate software management.

          Nobody ever again can trust the "Peer Review" meme. Heartbleed is a knife in the heart of FOSS.
    • Not sure about that...

      The "I love you" mail worm was one of the most widespread in damage.

      EVERY mail server got hammered - for days. Even systems that weren't vulnerable had to deal with it.
  • Missing the Debian certificate entropy fiasco!

    Another Linux failure that affected Debian as well as derivatives such as Ubuntu.

    That's slightly comparable to Heartbleed in the sense that it *also* meant that a HUGE number of certificates had to be revoked and new one acquired.
    • Linux Failure?

      OpenSSL can be used on Linux, Mac, Windows, Unix, and more.
      • And...

        ...its home OS isn't a Linux distro at all. It's OpenBSD; distributed under the MS-approved BSD license (ie. it's genetic UNIX, not Linux). OpenBSD's GNU equivalent is GNUTLS.
        John L. Ries