2014 was a surprisingly bad year for software exploits. Systems that we thought were impenetrable – like Open SSL – showed some huge weaknesses. Hackers took full advantage of these weaknesses and dealt some major damage.
Without further ado, here are the top 5 worst software exploits of 2014:
Heartbleed sounds like a type of heart disease. But it’s not. Heartbleed was a dangerous vulnerability we first learned about in April.
Despite being discovered in 2014, Heartbleed had actually existed for about two years. Heartbleed was a vulnerability in Open SSL, an encryption software used by two thirds of the world’s websites and servers.
In other words, two thirds of the world’s websites and servers were instantly discovered to be vulnerable to a hacking attack.
It’s unknown how much damage was caused by Heartbleed. It could have been nothing, or it could have been a lot. So far, however, many Open SSL devices still have not been patched, which means they’re as vulnerable to attack as ever before.
Reportedly, up to 30,000 devices still use the old, unpatched version of Open SSL, including printers, firewalls, routers, and storage servers. That’s a problem – and it could leave many people open for exploitation for years to come
If you thought the “Heartbleed” exploit was old, just wait tell you hear about Shellshock. Shellshock famously affected millions of Mac and Linux systems throughout 2014 using a 25 year old exploit.
That exploit was found in Unix’s “bash” feature. Since Linux and Mac OS are both built on Unix, the flaw allowed most Mac and Linux servers to be exploited.
Ultimately, by September 2014, thousands of machines had been infected with Shellshock-exploiting malware that made them part of botnets used for DDoS attacks.
Shellshock was thought to be slightly worse than Heartbleed. Making matters worse was that the first patch for Shellshock – prepared by the US Computer Emergency Readiness Team in September – had a bug which made it useless.
Poodle was arguably the cutest-named major exploit of 2014. POODLE, unfortunately, was not so cute in its mechanisms. POODLE was a bug in SSL version 3 which allowed an attacker to hijack a user’s session and intercept all data transmitted between a computer an encrypted online service.
POODLE was used to exploit PCs and phones that connected to secure servers online. It was initially discovered by Google researchers.
The only major restriction to POODLE was that attackers had to be on the same network as their victims. This is why smart PC security experts avoided Starbucks and other public Wi-Fi networks for weeks after POODLE was discovered.
BadUSB was an attack which exploited a problem in most USB devices. USB device firmware is rewritable, which means that an attacker can edit that firmware to deliver malware to a targeted computer.
The genius part of BadUSB is that this malware is written onto the USB controller chip – not the flash memory. Your antivirus software will typically scan the flash memory on the USB stick while ignoring the USB controller chip, which allowed BadUSB to silently infect computers.
Ultimately, only about half of all USB chips are rewritable. Nevertheless, security researchers recommend treating USB chips like needles: don’t share them or plug them into an untrusted machine (great analogy for all the heroin addicts out there).
Was one of the biggest bugs of 2014 that nobody heard about. There were two reasons Gotofail wasn’t extensively discussed in 2014:
-First, it exclusively affected Apple users
-Second, it was overshadowed by larger Apple viruses like Shellshock
But Gotofail was a serious problem. Gotofail was discovered in February 2014, when Apple revealed that its users could have their encrypted internet traffic intercepted by anyone on their network.
The flaw was disturbingly simple: attackers simply needed to exploit a misplaced “goto” command in the code. That’s why this exploit was called “Gotofail.”. That command affected SSL and TLS encryption on Mac OS, ultimately leaving users severely vulnerable.
A year from now, will we be writing a similar post about more 25-year old vulnerabilities? 2014 was a particularly frightening year, which could mean that we’ll find more long-dormant vulnerabilities in the software we use.