You may have seen news of Venom, the zero-day flaw which is being touted as as dangerous as the Heartbleed vulnerability which dominated security news in Spring 2014.
There are warnings that the warning the new bug could allow a hacker to take over vast portions of a datacentre from within.
Comment from Chris Eng, Vice President of Research at Veracode, the application security specialists.
The news of the VENOM vulnerability is concerning in breadth – similar to what we saw with Heartbleed in terms of the number of products affected. However, the severity of this zero-day is not nearly as alarming for a few reasons. First, there is little chance of mass exploitation; any exploit created around VENOM would have to be tailored against a specific target environment. Second, the attacker would have to already be on the target system to get at the vulnerability – certainly not impossible in a public cloud environment but nevertheless a complicating factor. Lastly, there isn’t currently a publicly available exploit, and creating one would require a non-trivial amount of effort.
While exploiting a vulnerability like Heartbleed allows an attacker to probe millions of systems, VENOM simply wouldn’t be exploitable at the same scale. Vulnerabilities like VENOM are mostly viewed as an avenue for a highly targeted attack like corporate espionage, cyber warfare or the like. Companies should absolutely apply patches as they become available.
By Chris Eng, Vice President of Research at Veracode
Bio : Chris Eng has over 15 years of application security experience. As Vice President of Research at Veracode, he leads the team responsible for integrating security expertise into Veracode’s technology. Throughout his career, he has led projects breaking, building, and defending web applications and commercial software for some of the world’s largest companies.Chris is a frequent speaker at premier industry conferences, such as BlackHat, RSA, OWASP, and CanSecWest, where he has presented on a diverse range of application security topics, including cryptographic attacks, agile security, mobile application security, and security metrics. Chris has been interviewed by Bloomberg, Fox Business, CBS, and other media outlets regarding security trends and noteworthy events. Additionally, he has served on the advisory board of the SOURCE Boston conference since its inception.Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California.
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.