Before Heartbleed: Worst vulnerabilities ever?

Before Heartbleed: Worst vulnerabilities ever?

Summary: There have been some pretty bad vulnerabilities before Heartbleed. Is it really any more severe than CodeRed or Blaster?

SHARE:
32

 |  Image 7 of 15

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Thumbnail 9
  • Thumbnail 10
  • Thumbnail 11
  • Thumbnail 12
  • Thumbnail 13
  • Thumbnail 14
  • Thumbnail 15
  • IIS is a sitting duck

    Before Microsoft got its security act together, one of their most vulnerable products was one of the most exposed: IIS (Internet Information Server), the web server that comes with Windows. Both the Code Red and Nimda botnets were highly successful in exploiting vulnerabilities simply by sending HTTP requests to IIS servers.

    eEye Digital Security employees Marc Maiffret and Ryan Permeh. They named it "Code Red" because Code Red Mountain Dew was what they were drinking at the time.

    Code Red was the first widespread use of IIS vulnerabilities and must have been one of the major motivations behind Bill Gates's decision to make security a major priority at Microsoft. Within a few years IIS did a Charles Atlas, going from 90 pound security weakling to the most secure web server available. But at the time, IIS's reputation was deservedly in the gutter.

    Nimda was also a pioneer in the use of multiple infection vectors: it could also spread via email, network shares, by surfing compromised web sites, and through back doors left by other bots.

    Image: Wikipedia

  • iPwn! Hack an iPhone with an SMS message

    Charlie Miller, now an engineer at Twitter, has long been known as one of the top researchers of Apple products. In August 2009 at the Black Hat security conference, Miller outdid himself with an iPhone hack that must have rattled some chains at Apple.

    Miller, along with Collin Mulliner, demonstrated how they could send an SMS text message to an iPhone and compromise the phone automatically when the message was received.

    The vulnerability led to no real-world attacks because Miller reported it responsibly to Apple, who had an update out in time for Black Hat. Had the wrong people discovered it earlier the consequences would have been severe.

    To this day, the iPhone SMS hole remains one of the most eye-opening security vulnerabilities ever.

    Image: Charlie Miller

  • Adobe Acrobat & Reader. Now we fear PDFs.

    Adobe's PDF document format, long ago released as an open standard, has become one of those formats that you can assume everyone can read. Lots of software reads PDF files, but most people still use the Adobe Reader program to do it. In the mid-to late 00's, numerous vulnerabilities led to numerous exploits using numerous malicious PDFs to turn numerous Windows users into bots.

    There were two types of problems. First, PDF is a sufficiently complex format that it's hard to write a program that can process them without exploitable bugs. Second, over the years Adobe added many features to PDF, including JavaScript and embedded Flash objects, creating new "attack surface" in it.

    As with the Flash vulnerabilities of years gone by, none of the Acrobat/Reader vulnerabilities really stood out over the others. It was the steady parade of them and the consequent need for frequent updates that stands out.

    As with Flash vulnerabilities, Adobe has steadily hardened Reader and Acrobat so that vulnerabilities are fewer and less-severe.

    Image: Security @ Adobe blog

Topics: Security, iPhone, Linux, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

Talkback

32 comments
Log in or register to join the discussion
  • We don't really know how it ranks yet

    Because it's very unclear as to how much it's been exploited. Code Red (which I'm sure MS-boosters would like us to forget about) made it very obvious where it hit; so did Blaster; so did Melissa. Thus far, the threat of Heartbleed has been almost entirely theoretical.

    But I'm pretty sure investigators are still working on it.
    John L. Ries
    • Don't forget

      For years MS was warned not to allow autorun but did they listen ?
      Nope, not until users were hammered.
      Alan Smithie
    • You're right.

      And I'm certain Anti MS-boosters will do their best to stop anyone from finding out just how bad this really turns out to be.
      William.Farrel
      • 2 security problems in the last 15 years or so...

        ,,,and OpenSSL and by extension, every other open source package in existence becomes anathema as we forget all about the past security problems of certain "successful companies"? Give me a break!
        John L. Ries
    • The disruption it is causing simply because we do not know is enough.

      IMO, the impact it is having is huge even if it never is exploited. You just don't know if your password is safe anymore unless you have a very limited set of accounts. Especially from an IT perspective this is huge.
      MeMyselfAndI_z
  • Anyone else find it ironic the author of Blaster would ask...

    ...Bill Gates to fix his software but Blaster was the direct result of engineering they very fix the author requested?
    ye
  • depends on how you view worst

    The most number of systems affected?

    Cost of cleaning up effects of the problem both direct and indirect. Time, money, #users ...

    Most of the older types were nuisance varieties... maybe they defaced a site, created a denial of service, caused embarrassment if that's really possible in that while people talked about it no one targeted actually seems embarrassed because they just dont feel it.

    So number of systems... seems like OpenSSL is in the running for top honors.
    Number of people impacted... seems like OpenSSL is in the running for top honors.
    Cost of remediation ... seems like OpenSSL is in the running for top honors.
    Cost of damage caused ... we wont know this one for a while but due to the nature potentially OpenSSL is in the running for top honors.

    Yeah, its likely the worst.
    greywolf7
    • You don't know the answer to ANY of the criteria you listed, but

      still concluded it to likely be the worst.
      baggins_z
    • Your post is all assumution, no reality.

      Many systems affect, but so far, zero documented cases of exploits.
      Number of people impacted: So far, zero, as no reported stolen info to date.
      Cost of to repair, not much, since its just a update to openssl, and renewed certs, both of which happen regularly any ways.

      Is the worst? Not by a long shot.
      anothercanuck
    • number of systems and devices

      Google CloudSQL is currently being patched, users need to update OpenSSL on each running instance on Google Compute Engine
      Google Search Appliance is currently being updated...
      Google says Android 4.1.1 is vulnerable. Or 34% of the over 1 Billion devices... 340 million.

      Multiple Cisco Products 16 are confirmed vulnerable while 65 others are being investigated.
      Multiple Juniper products are vulnerable,
      Multiple F5 products are vulnerable
      Multiple Linux Distributions are vulnerable
      Netcraft says Half a Million web sites are vulnerable
      BBM on ios and Android is vulnerable... over 40 million.

      Looks like it could easily be over a billion.
      greywolf7
      • So NOW you accept that Linux based systems

        have over a billion users?

        :)
        jessepollard
      • Multiple Linux Distributions ARE vulnerable?

        Really? Or just speculation? My distro was auto-patched the same day the news broke and I am sure all the other major distros were as well. The patch is trivial, simply disable heartbeat feature, recompile and ship out the resulting binary.

        In the case of the web appliance products, the problem ONLY affects remote access. The easy fix is to turn off remote access until the system is patched or replaced. Inconvenient yes. Huge security problem no.

        In the case of those half million websites, most of them were probably vulnerable to plenty of other exploits because of the way they are admined. If server admins don't patch or use flaky Linux distros that don't take security seriously there will be problems. Any server admin who ignores a security related patch for ANY reason is not doing his or her job. Its that simple.

        Android problems, if they exist, are Google and/or hardware vendor problems, not open source problems. Linux systems were patched in no time. Android should be just as responsive at least. In fact Android should be more responsive since, unlike Linux distros which are fully open source, Android has big pocket support from Google and hardware vendors. So the fact that it is slower (if indeed it is) is actually evidence that pure open source is more responsive to problems like this than corporate software management.
        George Mitchell
        • Really? Or just speculation?

          Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
          •Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
          •Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
          •CentOS 6.5, OpenSSL 1.0.1e-15
          •Fedora 18, OpenSSL 1.0.1e-4
          •OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
          •FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
          •NetBSD 5.0.2 (OpenSSL 1.0.1e)
          •OpenSUSE 12.2 (OpenSSL 1.0.1c)

          Android is a vendor problem not an open source problem... LOL. because they included Open SSL just like all those other SAPS that got bit.

          You sound like a denier... Fingers in ears La la la la la la


          Oh, go ahead and deny it because those BSD distributions are not Linux.
          greywolf7
          • shipped with is different from speed of patches!!

            Hi :)
            The length of time it took for patches to appear is more relevant than the unknown issue existing in shipped products. The speed and willingness of people to apply the patches shows a huge differential between OpenSource users and people using proprietary systems.

            The article clearly shows that a problem with proprietary systems still exists years after patches were released because users have no trust in and see no value in applying the patches. The OpenSource world has learned that patches tend to be goodies and patched quite quickly.

            Regards from
            Tom :)
            Tom6
          • Interesting that you included Fedora 18

            Fedora 18 reached End-Of-Life *months* ago, when Fedora 20 was released. Both Fedoras 19 and 20 have been patched, of course.

            Do you have *any* idea how many people are still running Fedora 18? Personally, I upgraded all of my Fedora 18 boxes as soon as Fedora *19* was released!
            Zogg
        • do your homework George

          Android problems, if they exist...
          http://www.cnet.com/how-to/how-to-tell-if-your-android-device-is-vulnerable-to-heartbleed/

          Android should be just as responsive at least. In fact Android should be more responsive ... So the fact that it is slower (if indeed it is) ....
          http://www.zdnet.com/heartboned-why-google-needs-to-reclaim-android-updates-7000028331/


          evidence that pure open source is more responsive to problems like this than corporate software management.

          http://www.zdnet.com/openssl-needs-corporate-funding-to-avoid-heartbleed-repeat-7000028385/

          Nobody ever again can trust the "Peer Review" meme. Heartbleed is a knife in the heart of FOSS.
          greywolf7
    • Not sure about that...

      The "I love you" mail worm was one of the most widespread in damage.

      EVERY mail server got hammered - for days. Even systems that weren't vulnerable had to deal with it.
      jessepollard
  • Missing the Debian certificate entropy fiasco!

    Another Linux failure that affected Debian as well as derivatives such as Ubuntu.

    That's slightly comparable to Heartbleed in the sense that it *also* meant that a HUGE number of certificates had to be revoked and new one acquired.

    http://www.scribd.com/doc/23213043/Re-issuing-certificates-from-the-2008-Debian-OpenSSL-Vulnerability
    honeymonster
    • Linux Failure?

      OpenSSL can be used on Linux, Mac, Windows, Unix, and more.
      anothercanuck
      • And...

        ...its home OS isn't a Linux distro at all. It's OpenBSD; distributed under the MS-approved BSD license (ie. it's genetic UNIX, not Linux). OpenBSD's GNU equivalent is GNUTLS.
        John L. Ries