You may have seen news of Venom, the zero-day flaw which is being touted as as dangerous as the Heartbleed vulnerability which dominated security news in Spring 2014.
There are warnings that the warning the new bug could allow a hacker to take over vast portions of a datacentre from within.
Comment from Chris Eng, Vice President of Research at Veracode, the application security specialists.
The news of the VENOM vulnerability is concerning in breadth – similar to what we saw with Heartbleed in terms of the number of products affected. However, the severity of this zero-day is not nearly as alarming for a few reasons. First, there is little chance of mass exploitation; any exploit created around VENOM would have to be tailored against a specific target environment. Second, the attacker would have to already be on the target system to get at the vulnerability – certainly not impossible in a public cloud environment but nevertheless a complicating factor. Lastly, there isn’t currently a publicly available exploit, and creating one would require a non-trivial amount of effort.
While exploiting a vulnerability like Heartbleed allows an attacker to probe millions of systems, VENOM simply wouldn’t be exploitable at the same scale. Vulnerabilities like VENOM are mostly viewed as an avenue for a highly targeted attack like corporate espionage, cyber warfare or the like. Companies should absolutely apply patches as they become available.
By Chris Eng, Vice President of Research at Veracode
Bio : Chris Eng has over 15 years of application security experience. As Vice President of Research at Veracode, he leads the team responsible for integrating security expertise into Veracode’s technology. Throughout his career, he has led projects breaking, building, and defending web applications and commercial software for some of the world’s largest companies.Chris is a frequent speaker at premier industry conferences, such as BlackHat, RSA, OWASP, and CanSecWest, where he has presented on a diverse range of application security topics, including cryptographic attacks, agile security, mobile application security, and security metrics. Chris has been interviewed by Bloomberg, Fox Business, CBS, and other media outlets regarding security trends and noteworthy events. Additionally, he has served on the advisory board of the SOURCE Boston conference since its inception.Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California.
