Cybersecurity researchers are warning that a just-discovered software bug called Venom could affect more computers than did Heartbleed, once dubbed the biggest threat to Internet security. Unlike other such major security threats, however, Venom can't be exploited remotely.
The cybersecurity company CrowdStrike in Irvine, California, announced it discovered a flaw that would make it possible for hackers to take control of cloud networks at the data centers where they're hosted. The cause of the flaw is a legacy virtual floppy disk controller that could crash an entire system if it were sent a specific code, thus giving hackers access to machines used by other cloud users or companies. But the infiltration can only be launched from within, and it can't easily be launched on a large number of cloud accounts easily or quickly, leading many researchers to suggest the threat is highly exaggerated.
The disclosure about Venom came a little more than a year after the revelation of the Heartbleed bug, which exploited OpenSSL, the open-source version of the Secure Sockets Layer, the trusted security authentication used by millions of websites.
“Millions of virtual machines are using one of these vulnerable platforms,” Jason Geffner, the CrowdStrike researcher who discovered Venom, told ZDNet Wednesday. “Heartbleed lets an adversary look through the window of a house and gather information based on what they see. Venom allows a person to break into a house, but also every other house in the neighborhood as well.”
Multiple companies have announced they will update their infrastructures with security patches to in their efforts to deal with Venom.