Among the plethora of vulnerabilities announced in 2014, three major vulnerabilities stand out among the rest. They have become so popular that even people who do not work in the information security industry know their names - Heartbleed, Shellshock and POODLE. Since these vulnerabilities were first discovered, beginning with Heartbleed in April 2014, some individuals may be asking, "Why are there so many critical vulnerabilities coming out this year?" While it may seem like 2014 is the year of the vulnerability, in reality, this year has not been much different than years past.
According to CVE Details, a website that provides statistics based on the Common Vulnerability and Exposure (CVE) numbering system, 914 vulnerabilities rated critical were disclosed in 2013 and 972 were disclosed in 2012. In fact, in 2012 a critical PHP-CGI (CVE-2012-1823) vulnerability was disclosed that researchers are still seeing exploited to this day. In 2013, also known as the “Year of Java Zero Days,” a number of critical Java vulnerabilities were disclosed.
Only 675 critical vulnerabilities have been disclosed so far in 2014, far less than in the two years prior.
So why are vulnerabilities receiving more public exposure this year than in years past?
Let's begin with Heartbleed. The Heartbleed vulnerability stands out among other critical vulnerabilities because of the widespread use of OpenSSL, the ease and severity of exploitation and that OpenSSL is supposed to secure our traffic, not make it more vulnerable.
Shellshock is similar. The widespread use of bash and ease of exploitation made it a patching priority.
POODLE has a catchy name.
Security professionals typically refer to vulnerabilities using a combination of the vulnerable software name and actual vulnerability. If it's an older vulnerability researchers might also add in the unique CVE number. Heartbleed, Shellshock and POODLE do not fall under the typical vulnerability-naming protocol. They are the start of a new trend – naming vulnerabilities like researchers name malware (i.e. Zeus, Pony, etc.). The catchier the name, the more attention it may receive.
For example, POODLE was repeatedly reported publicly although it's not nearly as severe as the Heartbleed and Shellshock vulnerabilities. Another example, Microsoft released patches for three other zero days this month – all of which were critical and were being actively exploited in the wild. The Sandstorm vulnerability – which was the only one with the catchy name - received far more attention than the other two despite being less severe.
It's certainly understandable why researchers are trying new ways to publicize their findings. Vulnerability research is challenging and oftentimes tough to promote. If a name, website and cool logo will get you a little more visibility then why not? However, a name and a logo do not denote any kind of severity.
Whether the vulnerability has a memorable name or not, it's important that organizations have procedures and controls in place to quickly identify it and apply the necessary patches. Security controls such as automated vulnerability scanning and penetration testing are an essential part of identifying and remediating vulnerabilities across all assets. It's also critical that businesses keep their software and operating systems current. Open SSL 3.0 – where the POODLE vulnerability exists - is an antiquated encryption suite. Businesses should be using a more updated version of the protocol, TLS. If businesses find that they do not have enough resources in-house to continuously flag and remediate vulnerabilities as well as make sure their software and systems are updated and patched, they should consider partnering with an outside team of experts who can fill that manpower and skills shortage gap.We have no way of knowing when the next Heartbleed, Shellshock, or CVE-2014-4148 is going to happen, but if the past is any guide, we expect the future will bring critical vulnerabilities with it. All we can do is prepare.