Time flies. It is already late February in 2015 as we reflect on 2014 as the year the Internet fell apart at IBM InterConnect. It feels like it was just yesterday that Heartbleed, the information disclosure vulnerability in OpenSSL, was announced. At the time, IBM quickly sprang into action and released multiple network intrusion prevention system signatures that covered all the threat’s permutations. Exploitation was swift and seemingly relentless. Even as the year progressed, from a managed security services perspective, IBM still observed customers being attacked, but not exploited, by Heartbleed.

There are many things that make Heartbleed fascinating. One of the key aspects is that it is not a remote code vulnerability in itself. Rather, the vulnerability permits an unauthenticated attacker to obtain a small but useful amount of system RAM data in the response. Heartbleed was just one of a few notable major vulnerability disclosures in 2014.

The next, Shellshock, was just as shocking — if not more so — because of how long it had gone unnoticed. In the case of Heartbleed, the vulnerability had only been introduced two years or so earlier. With Shellshock, the vulnerability in the bourne-again shell had already been around for 25 years. This vulnerability facilitated the practical exploitation of Common Gateway Interface-based Web servers, OpenSSH servers, some Dynamic Host Configuration Protocol clients and other software to run commands as unauthenticated users or, in some cases, escape from a restricted shell, if authenticated. The scary thing is how many embedded devices (I suppose we call them the Internet of Things these days) are vulnerable and will be exposed for a very long time, since the devices won’t receive a firmware update or be updated by their users for whatever reason.

At the IBM InterConnect session “2014: The Year That the Internet Fell Apart” at 2 p.m. on Monday, February 23rd, I will dive into these two vulnerabilities and how attacks using them progressed. Additionally, I will share the highlights of the Unicorn bug, a vulnerability in Microsoft Windows I discovered and reported to Microsoft late last year. The goal is to discuss mechanisms and processes companies can use to gain better defenses in an interactive session. If you think you won’t be the next big breach story, let’s preview where the panel discussion is going to head.

In 2015, there have already been some highly noteworthy bugs, such as GHOST and JASBUG. It seems that bugs that are so old someone should have stumbled upon them sooner will continue to be discovered and disclosed throughout the year. Perhaps 2014 is not the year the Internet fell apart and 2015 will be.

Join me, our guest speaker, Alain-Désiré Kamenyero from Scotiabank and my esteemed IBM colleagues, John Kuhn and Jamie Licitra, at InterConnect 2015 to learn more about our thoughts and data on how the major vulnerabilities of 2014 affected organizations from around the world.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…