Vulnerabilities Come in Waves

By Harold Byun, VP Products | May 4, 2018

VULNERABILITY WAVE EXAMPLES

In April 2014, a two year old zero day vulnerability was discovered in OpenSSL.  Heartbleed represented a new finding in TLS implementations that exposed over 800,000 websites to the exposure.  In the subsequent months through 2014, four additional vulnerabilities were uncovered that allowed for potential unauthorized access to data via man-in-the-middle attacks (MITM) or other methods — POODLE likely being one of the more prevalent ones uncovered.

 

In April 2016, there was a significant arbitrary code execution vulnerability discovered in Apache Struts.  At the time, this event barely registered a blip in the news outside of NVD, MITRE and security focused organizations.  Over the next 15 months, there were, coincidentally, 15 additional code execution or privilege escalation vulnerabilities uncovered in Apache Struts.  Perhaps the most notable being CVE-2017-5638 published in March 2017, which has been recognized as the initial exploit for the Equifax hack.

(Learn more about Baffle and Data Breaches)

 

A NEW CLASS OF VULNERABILITIES

Along these lines, TechCrunch recently published a great article on the latest memory side channel vulnerabilities written by Andrew Lohn. It details the follow-up trend of vulnerabilities that have been uncovered since the publishing of the Spectre and Meltdown vulnerabilities in January of this year.  Since the original publication, there have been additional vulnerabilities announced — RyzenFall, Fallout and Chimera, and most recently, there is now indication of over twenty new “Spectre-class” vulnerabilities (8 Intel, 13 AMD) that are in progress to be fixed.

These new hardware-based vulnerabilities will create multiple challenges in that they take longer to fix and patch, and as companies move to cloud providers, there are no guarantees for what hardware the applications are running on.  Put another way, the ground we thought we were all standing on to process our data, doesn’t seem as stable we once thought.  The wave has now graduated to a “class” of vulnerabilities.

(See our original write-up on Spectre and Meltdown here.)

 

WHAT ARE THE ODDS?

My point here being that vulnerabilities get uncovered in an application or service component or the hardware, and they tend to come in waves.  This is important for a couple reasons:

(1) it drives awareness around a new threat vector and

(2) it also means that organizations can begin to incorporate a probability score on how they are assessing vulnerability risk.

In other words, where there’s smoke, there’s fire and that should be used as an indicator that can help drive prioritization and focus amidst all the noise in security and remediation.

Learn more about Baffle here.