Celebrity vulnerabilities: A short history of bug branding
Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cyber security.
Cyber security folks were giving names to malware for decades, while vulnerabilities had to make do with plain old Common Vulnerabilities and Exposures (CVE) numbers, but that all changed in 2014, when a trend emerged for giving bugs catchy names and, in some cases, eye-catching logos and dedicated websites. The age of bug branding had arrived.
While some believed branding helped to raise awareness among those who wouldn’t normally concern themselves with software flaws and bugs, others believed it to be a marketing ploy and that security researchers would be better served spending their time disclosing the bugs and helping users protect themselves against them.
Whatever your stance is on bug branding, you have to admit that “Oh boy, I hear that CVE-2014–6271 could be even worse than CVE-2014–0160” doesn’t quite roll off the tongue. Everyone loves a catchy name, and who doesn’t like a pretty logo? So let’s take a look at some notable vulnerabilities that have received the bug branding treatment over the past few years.
The OpenSSL TLS ‘heartbeat’ Extension Information Disclosure Vulnerability (CVE-2014–0160), better known by its stage name Heartbleed, may not have been the first branded vulnerability, but it was the first to have a marketing strategy. It arrived on the scene in April 2014 with its own website (heartbleed.com) and evocative bleeding heart logo, which was quickly shared on social media and by news agencies around the world.
The vulnerability was in the Heartbeat component of OpenSSL, one of the most widely used implementations of the SSL and TLS cryptographic protocols. Hundreds of thousands of websites were vulnerable to Heartbleed, and the bug allowed attackers to intercept secure communications and steal sensitive information, such as login credentials, personal data, or even decryption keys.
While the bug was first discovered by Google researchers, it was Finnish security outfit Codenomicon — which discovered the flaw independently — that was behind the branding. A Codenomicon engineer named the bug and graphic designer Leena Snidate, also a Codenomicon employee, designed the logo. The minimalist website with easy-to-understand information on the vulnerability was the final lesson in this bug branding masterclass.
Also disclosed in 2014, Shellshock (also known as Bashbug and Bashdoor) affected most versions of the Linux and Unix operating systems, as well as Mac OS X. Otherwise known as the GNU Bash Remote Code Execution Vulnerability (CVE-2014–6271), Shellshock was found in the command language interpreter Bash and could allow an attacker to take control of a vulnerable computer. Web servers were particularly at risk from this bug.
The vulnerability has Heartbleed’s branding success to thank for its name and logo, as at first it had neither. When the bug was first disclosed, a flippant Twitter comment saying “it’s not big until there’s a logo” spurred one user to come up with the name Shellshock and knock up an impromptu logo that eventually evolved into what you see below.
The GNU glibc CVE-2015–0235 Remote Heap Buffer Overflow Vulnerability (CVE-2015–0235) was given the catchy name of Ghost because it can be triggered by the GetHOST functions. The Ghost bug enabled attackers to take control of compromised Linux computers without any prior knowledge of system credentials. The bug was present in the Linux GNU C Library (glibc) and on first appearance seemed just as serious as Heartbleed or Shellshock. However, upon closer examination Ghost turned out to be less scary than its name suggested. This prompted some, who were perhaps already becoming fed up of the celebrity bug craze, to have a little fun at the expense of Ghost and branded bugs in general.
Stagefright was the name given to a set of seven vulnerabilities in an Android component known as, funnily enough, Stagefright, which is used for media playback. This bug was considered quite serious as there were reports that up to 95 percent of all Android devices at the time were vulnerable to it. Adding to this was the fact that Stagefright was worryingly easy for attackers to exploit. All an attacker needed to do in order to be able to execute code remotely or steal information from a device was to send the vulnerable device a specially crafted multimedia message (MMS). In some cases, the victim didn’t even have to open the message in order for the exploit to trigger. While Google was quick to issue a patch, many users had to wait until their device manufacturer rolled out the fix to them, and many older devices were out of luck when it came to being patched.
Stagefright’s logo wasn’t particularly eye catching and appeared to be an amalgamation of the phantom of the opera mask and the Android robot.
A few months later two new bugs were discovered in Android that allowed an attacker to gain control of a vulnerable device when a victim viewed a preview of an .mp3 or .mp4 file. This duo of vulnerabilities was dubbed Stagefright 2.0 but didn’t manage to get a logo from the discoverers of the bugs, although others were quick to oblige.
Badlock: The bug that cried wolf
If Heartbleed’s branding could be considered a success story, its polar opposite would have to be Badlock. In March 2016, news emerged of a “crucial” vulnerability in Windows and Samba software. While the public was informed that both Microsoft and Samba were working on a fix, which was due to arrive in a few weeks, there was little more information available. However, the firm that discovered the bug had coined a catchy name, crafted a nifty logo, and set up a dedicated website: all standard practice in the world of bug branding. However, when details finally emerged, Badlock wasn’t as bad as it was made out to be.
In the end, the over-hyped bug was rated as Important, rather than Critical, by Microsoft because it couldn’t be used for remote code execution (RCE). Badlock was an elevation of privilege vulnerability, which can be serious but only if, for example, used in conjunction with a RCE bug.
The trumpet blowing that preceded Badlock annoyed a lot of people, and not just those already becoming jaded with bug branding. Some felt so strongly that they even created a website (sadlock.org) and logo to portray their frustration at what they saw as nothing more than a marketing ploy.
When the Heartbleed bug was discovered in 2014, the accompanying marketing campaign, with slick logo and eponymous website, helped generate headlines around the world. While the bug itself was very serious, without branding it’s hard to imagine the same amount of media coverage. However, the flurry of “celebrity” bugs that followed Heartbleed (far too many to cover in this blog) have arguably desensitized the public when it comes to “the next big vulnerability” and over-hyped bugs such as Badlock aren’t doing anything to help matters. However, people like easy-to-remember names and nice colorful logos and, even though they’re not as common as they were a few years ago, branded bugs seem to be here to stay.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.