Time flies. It is already late February in 2015 as we reflect on 2014 as the year the Internet fell apart at IBM InterConnect. It feels like it was just yesterday that Heartbleed, the information disclosure vulnerability in OpenSSL, was announced. At the time, IBM quickly sprang into action and released multiple network intrusion prevention system signatures that covered all the threat’s permutations. Exploitation was swift and seemingly relentless. Even as the year progressed, from a managed security services perspective, IBM still observed customers being attacked, but not exploited, by Heartbleed.

There are many things that make Heartbleed fascinating. One of the key aspects is that it is not a remote code vulnerability in itself. Rather, the vulnerability permits an unauthenticated attacker to obtain a small but useful amount of system RAM data in the response. Heartbleed was just one of a few notable major vulnerability disclosures in 2014.

The next, Shellshock, was just as shocking — if not more so — because of how long it had gone unnoticed. In the case of Heartbleed, the vulnerability had only been introduced two years or so earlier. With Shellshock, the vulnerability in the bourne-again shell had already been around for 25 years. This vulnerability facilitated the practical exploitation of Common Gateway Interface-based Web servers, OpenSSH servers, some Dynamic Host Configuration Protocol clients and other software to run commands as unauthenticated users or, in some cases, escape from a restricted shell, if authenticated. The scary thing is how many embedded devices (I suppose we call them the Internet of Things these days) are vulnerable and will be exposed for a very long time, since the devices won’t receive a firmware update or be updated by their users for whatever reason.

At the IBM InterConnect session “2014: The Year That the Internet Fell Apart” at 2 p.m. on Monday, February 23rd, I will dive into these two vulnerabilities and how attacks using them progressed. Additionally, I will share the highlights of the Unicorn bug, a vulnerability in Microsoft Windows I discovered and reported to Microsoft late last year. The goal is to discuss mechanisms and processes companies can use to gain better defenses in an interactive session. If you think you won’t be the next big breach story, let’s preview where the panel discussion is going to head.

In 2015, there have already been some highly noteworthy bugs, such as GHOST and JASBUG. It seems that bugs that are so old someone should have stumbled upon them sooner will continue to be discovered and disclosed throughout the year. Perhaps 2014 is not the year the Internet fell apart and 2015 will be.

Join me, our guest speaker, Alain-Désiré Kamenyero from Scotiabank and my esteemed IBM colleagues, John Kuhn and Jamie Licitra, at InterConnect 2015 to learn more about our thoughts and data on how the major vulnerabilities of 2014 affected organizations from around the world.

More from Software Vulnerabilities

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today