Top 5 Worst Software Exploits of 2014

Dec 26th 2014 - by Fix My PC FREE in: Blog PC Protection News | 0 Comment

ATTENTION, PLEASE!

Malware may reinstall itself multiple times if you don't delete its core files. This may require tracking down dozens of files in different locations.

We recommend downloading Advanced System Repair to eradicate Malware for you (it should cut down the time to about 15 minutes).

>> Download Advanced System Repair <<
Top 5 Worst Software Exploits of 2014

2014 was a surprisingly bad year for software exploits. Systems that we thought were impenetrable – like Open SSL – showed some huge weaknesses. Hackers took full advantage of these weaknesses and dealt some major damage.

Without further ado, here are the top 5 worst software exploits of 2014:

5) Heartbleed

Heartbleed sounds like a type of heart disease. But it’s not. Heartbleed was a dangerous vulnerability we first learned about in April.

Despite being discovered in 2014, Heartbleed had actually existed for about two years. Heartbleed was a vulnerability in Open SSL, an encryption software used by two thirds of the world’s websites and servers.

In other words, two thirds of the world’s websites and servers were instantly discovered to be vulnerable to a hacking attack.

It’s unknown how much damage was caused by Heartbleed. It could have been nothing, or it could have been a lot. So far, however, many Open SSL devices still have not been patched, which means they’re as vulnerable to attack as ever before.

Reportedly, up to 30,000 devices still use the old, unpatched version of Open SSL, including printers, firewalls, routers, and storage servers. That’s a problem – and it could leave many people open for exploitation for years to come

4) Shellshock

If you thought the “Heartbleed” exploit was old, just wait tell you hear about Shellshock. Shellshock famously affected millions of Mac and Linux systems throughout 2014 using a 25 year old exploit.

shellshock

That exploit was found in Unix’s “bash” feature. Since Linux and Mac OS are both built on Unix, the flaw allowed most Mac and Linux servers to be exploited.

Ultimately, by September 2014, thousands of machines had been infected with Shellshock-exploiting malware that made them part of botnets used for DDoS attacks.

Shellshock was thought to be slightly worse than Heartbleed. Making matters worse was that the first patch for Shellshock – prepared by the US Computer Emergency Readiness Team in September – had a bug which made it useless.

3) POODLE

Poodle was arguably the cutest-named major exploit of 2014. POODLE, unfortunately, was not so cute in its mechanisms. POODLE was a bug in SSL version 3 which allowed an attacker to hijack a user’s session and intercept all data transmitted between a computer an encrypted online service.

poodle exploit

POODLE was used to exploit PCs and phones that connected to secure servers online. It was initially discovered by Google researchers.

The only major restriction to POODLE was that attackers had to be on the same network as their victims. This is why smart PC security experts avoided Starbucks and other public Wi-Fi networks for weeks after POODLE was discovered.

2) BadUSB

BadUSB was an attack which exploited a problem in most USB devices. USB device firmware is rewritable, which means that an attacker can edit that firmware to deliver malware to a targeted computer.

The genius part of BadUSB is that this malware is written onto the USB controller chip  – not the flash memory. Your antivirus software will typically scan the flash memory on the USB stick while ignoring the USB controller chip, which allowed BadUSB to silently infect computers.

badusb

Ultimately, only about half of all USB chips are rewritable. Nevertheless, security researchers recommend treating USB chips like needles: don’t share them or plug them into an untrusted machine (great analogy for all the heroin addicts out there).

1) Gotofail

Was one of the biggest bugs of 2014 that nobody heard about. There were two reasons Gotofail wasn’t extensively discussed in 2014:

-First, it exclusively affected Apple users

-Second, it was overshadowed by larger Apple viruses like Shellshock

But Gotofail was a serious problem. Gotofail was discovered in February 2014, when Apple revealed that its users could have their encrypted internet traffic intercepted by anyone on their network.

goto fail

The flaw was disturbingly simple: attackers simply needed to exploit a misplaced “goto” command in the code. That’s why this exploit was called “Gotofail.”. That command affected SSL and TLS encryption on Mac OS, ultimately leaving users severely vulnerable.

A year from now, will we be writing a similar post about more 25-year old vulnerabilities? 2014 was a particularly frightening year, which could mean that we’ll find more long-dormant vulnerabilities in the software we use.

No Comment

Leave a Reply

Name Required

Website