Lessons To Be Learned From The Scariest Recent Open Source Vulnerabilities

Bill Ledingham | Open Source Delivers | October 29, 2014

Tis the season for spooks and frights, but the last thing any enterprise wants to experience is the terror of security vulnerabilities. In the past six months, we’ve seen three damaging open source security bugs; two of which have potentially exposed hundreds of thousands of websites and hundreds of millions of computers, servers, and devices. Of course, I’m talking about the Heartbleed and Shellshock bugs, and let’s not forget the recent POODLE vulnerability.

Heartbleed was a critical vulnerability in the widely used OpenSSL cryptographic software library. It threatened to expose the names, passwords, and data of users from over 500,000 global websites, and was one of the largest security threats the Internet had yet seen. Then, along came Shellshock.

Shellshock was a flaw in the popular Bash (Bourne-Again Shell) software component for Unix-based systems – meaning computers running Unix, Linux, and some Apple Mac operating systems were at risk. While Heartbleed exposed users’ OpenSSL-protected online data, the Shellshock bug gave attackers direct access to entire systems. Shellshock continues to present a significant ongoing risk to open source software-based network infrastructure and a wide range of embedded devices, since many embedded systems are not updated during their lifetimes...