Time flies. It is already late February in 2015 as we reflect on 2014 as the year the Internet fell apart at IBM InterConnect. It feels like it was just yesterday that Heartbleed, the information disclosure vulnerability in OpenSSL, was announced. At the time, IBM quickly sprang into action and released multiple network intrusion prevention system signatures that covered all the threat’s permutations. Exploitation was swift and seemingly relentless. Even as the year progressed, from a managed security services perspective, IBM still observed customers being attacked, but not exploited, by Heartbleed.

There are many things that make Heartbleed fascinating. One of the key aspects is that it is not a remote code vulnerability in itself. Rather, the vulnerability permits an unauthenticated attacker to obtain a small but useful amount of system RAM data in the response. Heartbleed was just one of a few notable major vulnerability disclosures in 2014.

The next, Shellshock, was just as shocking — if not more so — because of how long it had gone unnoticed. In the case of Heartbleed, the vulnerability had only been introduced two years or so earlier. With Shellshock, the vulnerability in the bourne-again shell had already been around for 25 years. This vulnerability facilitated the practical exploitation of Common Gateway Interface-based Web servers, OpenSSH servers, some Dynamic Host Configuration Protocol clients and other software to run commands as unauthenticated users or, in some cases, escape from a restricted shell, if authenticated. The scary thing is how many embedded devices (I suppose we call them the Internet of Things these days) are vulnerable and will be exposed for a very long time, since the devices won’t receive a firmware update or be updated by their users for whatever reason.

At the IBM InterConnect session “2014: The Year That the Internet Fell Apart” at 2 p.m. on Monday, February 23rd, I will dive into these two vulnerabilities and how attacks using them progressed. Additionally, I will share the highlights of the Unicorn bug, a vulnerability in Microsoft Windows I discovered and reported to Microsoft late last year. The goal is to discuss mechanisms and processes companies can use to gain better defenses in an interactive session. If you think you won’t be the next big breach story, let’s preview where the panel discussion is going to head.

In 2015, there have already been some highly noteworthy bugs, such as GHOST and JASBUG. It seems that bugs that are so old someone should have stumbled upon them sooner will continue to be discovered and disclosed throughout the year. Perhaps 2014 is not the year the Internet fell apart and 2015 will be.

Join me, our guest speaker, Alain-Désiré Kamenyero from Scotiabank and my esteemed IBM colleagues, John Kuhn and Jamie Licitra, at InterConnect 2015 to learn more about our thoughts and data on how the major vulnerabilities of 2014 affected organizations from around the world.

More from Software Vulnerabilities

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today