Please Stop Comparing Every Security Flaw To Heartbleed

Please Stop Comparing Every Security Flaw To Heartbleed

After security firm CrowdStrike discovered a virtual machine security flaw that could (in theory) put millions of data centres at risk for malware attack this week, the comparisons came on hot, sticky, and thick. It was Heartbleed, all over again… but this time, even WORSE.

Various tech outlets called it “bigger than Heartbleed” and “much worse than Heartbleed,” and warned that it could “pack a deadlier bite than Heartbleed.” There’s just one problem: It’s a huge stretch to even compare the two vulnerabilities. It’s like comparing apples with oranges, if the apples are apples and the oranges are serious security nightmares.

After reading so many overwrought blogs, I asked some security researchers if they thought Venom was like Heartbleed.

“Heartbleed was so bad because it was a vulnerability discovered in one of the most commonly used applications for servers and had been for many years,” security researcher Adama Kujawa told me.

“Venom doesn’t come close to that kind of potential damage since the target group is so small and every minute it is shrinking as more systems get patched.” Kujawa also emphasised that no one has actually tried to exploit Venom.

“Therefore it poses no threat, at this moment, to anyone,” he said. [Emphasis mine.]

Security analytics CTO Mike Lloyd admitted that Venom was potentially serious, but said it wouldn’t cause the same ruckus as Heartbleed. “The patch and remediation for this attack are already well known and well publicised,” he said.

Cloud security expert Eric Chui saw Venom as disturbing because it exemplified how virtual infrastructures can be at risk, but emphasised that the risk is theoretical. “We have not seen these exploits in real world environments,” he told me. Heartbleed, meanwhile, was actually exploited, an untold number of times, and it led to the theft of social security numbers and medical records.

Comparing stuff is good. Comparing stuff is fun! For example, when I say “farts are like butt burps,” I am using COMPARISON to help you understand what a fart is. I could also say “farts are worse than burps,” if I wanted to describe which bodily function I found more offensive. But if I said “farts are like 9/11,” the comparison would lose its credibility, as any sane person would assume that I either didn’t understand farts or didn’t understand human tragedy on a grand scale.

It’s important that security researchers and the media help spread word that a vulnerability needs fixing, but reporting on a theoretical threat like Venom in this way is bad. The hyperbole stirs up unnecessary fears. When people cry Heartbleed over any newly-discovered security vulnerability, it makes it hard to tell when something’s actually a serious threat and when it’s just a troubling but fixable vulnerability that hasn’t yet actually been exploited. The sensationalism dulls our ability to discern a real threat from a theoretical and unlikely one.

Picture: Kelsey Campbell-Dollaghan