Celebrity vulnerabilities: A short history of bug branding

John-Paul Power
Jul 12, 2017 · 6 min read

Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cyber security.

Image for post
Image for post
Heartbleed, which had a heart-shaped logo, was one of the first major examples of bug branding

Cyber security folks were giving names to malware for decades, while vulnerabilities had to make do with plain old Common Vulnerabilities and Exposures (CVE) numbers, but that all changed in 2014, when a trend emerged for giving bugs catchy names and, in some cases, eye-catching logos and dedicated websites. The age of bug branding had arrived.

While some believed branding helped to raise awareness among those who wouldn’t normally concern themselves with software flaws and bugs, others believed it to be a marketing ploy and that security researchers would be better served spending their time disclosing the bugs and helping users protect themselves against them.

Whatever your stance is on bug branding, you have to admit that “Oh boy, I hear that CVE-2014–6271 could be even worse than CVE-2014–0160” doesn’t quite roll off the tongue. Everyone loves a catchy name, and who doesn’t like a pretty logo? So let’s take a look at some notable vulnerabilities that have received the bug branding treatment over the past few years.

Heartbleed

Image for post
Image for post

The vulnerability was in the Heartbeat component of OpenSSL, one of the most widely used implementations of the SSL and TLS cryptographic protocols. Hundreds of thousands of websites were vulnerable to Heartbleed, and the bug allowed attackers to intercept secure communications and steal sensitive information, such as login credentials, personal data, or even decryption keys.

While the bug was first discovered by Google researchers, it was Finnish security outfit Codenomicon — which discovered the flaw independently — that was behind the branding. A Codenomicon engineer named the bug and graphic designer Leena Snidate, also a Codenomicon employee, designed the logo. The minimalist website with easy-to-understand information on the vulnerability was the final lesson in this bug branding masterclass.

Shellshock

The vulnerability has Heartbleed’s branding success to thank for its name and logo, as at first it had neither. When the bug was first disclosed, a flippant Twitter comment saying “it’s not big until there’s a logo” spurred one user to come up with the name Shellshock and knock up an impromptu logo that eventually evolved into what you see below.

Image for post
Image for post

Ghost

Image for post
Image for post

Stagefright

Stagefright’s logo wasn’t particularly eye catching and appeared to be an amalgamation of the phantom of the opera mask and the Android robot.

Image for post
Image for post

A few months later two new bugs were discovered in Android that allowed an attacker to gain control of a vulnerable device when a victim viewed a preview of an .mp3 or .mp4 file. This duo of vulnerabilities was dubbed Stagefright 2.0 but didn’t manage to get a logo from the discoverers of the bugs, although others were quick to oblige.

Image for post
Image for post

Badlock: The bug that cried wolf

Image for post
Image for post

In the end, the over-hyped bug was rated as Important, rather than Critical, by Microsoft because it couldn’t be used for remote code execution (RCE). Badlock was an elevation of privilege vulnerability, which can be serious but only if, for example, used in conjunction with a RCE bug.

The trumpet blowing that preceded Badlock annoyed a lot of people, and not just those already becoming jaded with bug branding. Some felt so strongly that they even created a website (sadlock.org) and logo to portray their frustration at what they saw as nothing more than a marketing ploy.

Image for post
Image for post

When the Heartbleed bug was discovered in 2014, the accompanying marketing campaign, with slick logo and eponymous website, helped generate headlines around the world. While the bug itself was very serious, without branding it’s hard to imagine the same amount of media coverage. However, the flurry of “celebrity” bugs that followed Heartbleed (far too many to cover in this blog) have arguably desensitized the public when it comes to “the next big vulnerability” and over-hyped bugs such as Badlock aren’t doing anything to help matters. However, people like easy-to-remember names and nice colorful logos and, even though they’re not as common as they were a few years ago, branded bugs seem to be here to stay.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.

Threat Intel

Insights into the world of threat intelligence, cybercrime…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store