Start stockpiling tinned beans and ammo: This malware will end civilisation
*YAWN* A tale of 3 overhyped SSL vulns
Media hype is affecting vendors’ patching strategies to the detriment of internet security, vulnerability management firm Secunia warns.
The high-profile Heartbleed OpenSSL vulnerability triggered the mass patching of 600 products by more than 100 vendors within just 40 days. A further OpenSSL vulnerability from June 2014 led to a patch for 800 affected products. Yet a third Open SSL vulnerability in August lead to a patch of just 75 products.
Kasper Lindgaard, Secunia's director of research and security, told El Reg that although there were differences between the August vulnerability and Heartbleed, the flaws were of comparable severity. At least 200 products were affected by the August vulnerability but only 75 were actually patched within a month or so. The inference is that because no one was shouting from the rooftops about the latter, nothing got done.
Heartbleed, which surfaced in April 2014, although easy to exploit, was only ever an information disclosure flaw. One of the latter flaws actually represented a more severe code execution risk.
Lindgaard commented: "Heartbleed was the best publicity a single vulnerability has ever received. However, corporate security teams need to be aware of all vulnerabilities, not just those with a catchy name."
Secunia's comments reflect a much wider world-weariness about logos for vulnerabilities. Heartbleed set a trend where the dsecurity world saw actual logos created to accompany vulnerabilities, soon followed up by Shellshock. A bug in the Bash shell that surfaced last September, the Poodle crypto bug and most recently, Ghost, involving the glibc library, were similarly hyped.
B-Sides founder Jack Daniel noted wryly: "Time to up your game. Cool name and logo not enough. If your 0-day doesn't have theme music, I don't wanna know about it."
And of course there are jokes about needing to design a logo before concerning yourself with patching these days.
And security types have even started blogging about the graphics of vulnerability logos in a meta-tastic development that risks, well, metastasising. ®