EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.14.15

VENOM® is Not a Serious Bug, It’s Just a Marketing Campaign From CrowdStrike

Posted in Security at 10:47 am by Dr. Roy Schestowitz

Bugs
Image courtesy of Red Hat, demonstrating lack of correlation between severity and logos/brands

Summary: Many journalists bamboozled into becoming couriers of CrowdStrike, an insecurity firm which tries to market itself using a name and logo for a very old bug

THERE is a disproportionate level of coverage not of Free software but of bugs in Free software. We last wrote about it only days ago

A firm called CrowdStrike (who? Exactly!) is trying to emulate the ‘success’ of previous FUD campaigns. Now is the time to check who’s a real journalist (fact-checking) and who’s just serving PR campaigns like “VENOM”, a shameless FUD campaign from CrowdStrike.

The whole “VENOM” nonsense was covered in a good article titled “VENOM hype and pre-planned marketing campaign panned by experts”. To quote: “On Wednesday, CrowdStrike released details on CVE-2015-3456, also known as Venom. Venom is a vulnerability in the floppy drive emulation code used by many virtualization platforms.

“However, while it’s possible that a large number of systems are impacted by this flaw, it isn’t something that can be passively exploited.

“Several security experts discussed the flaw online, focusing on the marketing and the media attention that it generated – including some over-hyped headlines. Most media organizations were briefed ahead of time about the discovery and gagged by embargo until the Venom website launched, so they had plenty of time to write.

“Many media articles compared Venom to Heartbleed, which is an apples to oranges comparison. If anything, the only commonality is the fact that both flaws had a pre-planned marketing campaign.”

Here comes the “Heartbleed” brand. Yet again. They’re using names that are scary (even all caps, like “GHOST”) because it’s so much easier to sell than “CVE-2015-3456″. Journalists rarely have the technical knowledge to analyse a bug or a flaw, so they assume bugs and logos are indicative of severity.

This patch Tuesday Microsoft revealed 40+ vulnerabilities. Not a single one had a brand name, logo, etc. Here is how IDG covered 46 flaws publicly disclosed by Microsoft just for this Tuesday (Microsoft hides even more flaws). So many flaws were collectively covered in one article and yet there are no logos; none has any branding.

“VENOM” has become the latest example of what we call bugs with branding. This has got to stop because it corrupts journalism and makes the field of computer security almost synonymous with marketing or advertising. CrowdStrike used ALL CAPS (for emphasis rather than acronym) and connotation with poison to market itself, an insecurity firm, after finding a floppy drive bug from over a decade ago. There is a logo too (the first example we found of it), not just branding for this bug, dubbed “VENOM”.

Bug branding (turning number into branding-friendly FUD) seems to have adopted the ALL CAPS convention from “GHOST”, only for extra scare. This FUD has surfaced even in Linux-centric sites, which played along with the marketing campaign. Red Hat [1] and SJVN [2], even Phoronix [3] and Softpedia [4], have covered it by now, despite no focus on security news there.

Branding for bugs leads to stupid headlines that are more poetic than factual and are very light on facts. There is little substance there. This whole recipe (bug+brand name+logo=lots of publicity without much merit) has been repeatedly exploited to give a bad name to FOSS security. A lot of headlines try to connect this to the “Heartbleed” brand. Headlines that we have found so far (links below) include “New Venom bug hits data centers, but it’s hardly Heartbleed”, “Venom bug could allow hackers to take over cloud servers – and experts say it could be worse than Heartbleed”, “New Venom flaw may be worse than Heartbleed, researchers warn”, and “Venom vulnerability more dangerous than Heartbleed, targets most virtual machines”.

Zack Whittaker (former Microsoft staff) covered it like this in the CBS-owned tech tabloid, ZDNet: “Bigger than Heartbleed, ‘Venom’ security vulnerability threatens most datacenters”

Here is that “Heartbleed” brand again. “Please Stop Comparing Every Security Flaw to Heartbleed,” said one good headline from Gizmodo (that’s just how they covered this marketing campaign).

The word/brand “Heartbleed” was made up by a Microsoft-connected firm. Watch coverage from Microsoft-friendly sites and you will find headlines like: “Heartbleed, eat your heart out: VENOM vuln poisons countless VMs”

Dan Goodin, a foe of FOSS (from a security angle), brings in the NSA and Bitcoin to add FUD amid this branded bug/buzz. He wrote about the latest branded bug not once but twice (see links below). He is squeezing the most FOSS FUD out of it (opportunism). Kim Komando chose the headline “New bug taking over the Internet”. No sensationalism here? One press release said “Better Business Bureau Says Most Don’t Need to Worry” [about the branded bug], so there is some objectivity out there too, or an effort to calm people down.

Watch carefully how the bug is marketed in the media: Logo with SVG-like transparency; for a bug! Looks like it was prepared by graphics/marketing professionals. Are insecurity firms now liaising with marketing firms to professionally draw SVG logos for bugs? More logos for simple bugs (we found several, but one main logo) are circulating, usually with photos of snakes. See the complete list [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36] as of this morning. How much more of this FUD is going to circulate before journalists realise that they make a mountain out of a molehill?

Related/contextual items from the news:

  1. VENOM, don’t get bitten.

    CVE-2015-3456 (aka VENOM) is a security flaw in the QEMU’s Floppy Disk Controller (FDC) emulation. It can be exploited by a malicious guest user with access to the FDC I/O ports by issuing specially crafted FDC commands to the controller. It can result in guest controlled execution of arbitrary code in, and with privileges of, the corresponding QEMU process on the host. Worst case scenario this can be guest to host exit with the root privileges.

  2. For Venom security flaw, the fix is in: Patch your VM today

    The QEMU fix itself is now available in source code. Red Hat has been working on the fix since last week.

  3. VENOM Bug In QEMU Escapes VM Security
  4. 11-Year-Old Bug in Virtual Floppy Drive Code Allows Escape from Virtual Machines

    Popular virtualization platforms relying on the virtual Floppy Disk Controller code from QEMU (Quick Emulator) are susceptible to a vulnerability that allows executing code outside the guest machine.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New

  1. IRC Proceedings: Monday, March 30, 2020

    IRC logs for Monday, March 30, 2020

  2. Links 30/3/2020: GNU Linux-libre 5.6, WireGuard 1.0.0

    Links for the day

  3. IRC Proceedings: Sunday, March 29, 2020

    IRC logs for Sunday, March 29, 2020

  4. Links 30/3/2020: Linux 5.6, Nitrux 1.2.7, Sparky 2020.03.1

    Links for the day

  5. The Fall of the UPC - Part IX: Campinos Opens His Mouth One Week Later (and It's That Hilarious Delusion Again)

    Team Campinos said nothing whatsoever about the decision of the FCC until one week later, whereupon Campinos leveraged some words from Christine Lambrecht to mislead everybody in the EPO's official "news" section

  6. Pretending EPO Corruption Stopped Under António Campinos When It is in Fact a Lot Worse in Several Respects/Aspects (Than It Was Under Benoît Battistelli)

    Germany's eagerness to keep Europe's central patent office in Munich (and to a lesser degree in Berlin) means that politicians in the capital and in Bavaria turn a blind eye to abuses, corruption and even serious crimes; this won't help Germany's image in the long run

  7. IRC Proceedings: Saturday, March 28, 2020

    IRC logs for Saturday, March 28, 2020

  8. Links 28/3/2020: Wine 5.5 Released, EasyPup 2.2.14, WordPress 5.4 RC5 and End of Truthdig

    Links for the day

  9. IRC Proceedings: Friday, March 27, 2020

    IRC logs for Friday, March 27, 2020

  10. The Fall of the UPC - Part VIII: Team UPC Celebrates Death, Not Life

    Team UPC plays psychological games now; it is trying to twist or spin its defeat as good news and something to be almost celebrated; it is really as illogical (and pathetic) as that sounds

  11. Links 27/3/2020: GNU/Linux Versus COVID-19 and Release of GNU Guile 3.0.2

    Links for the day

  12. When Your 'Business' is Just 'Patent Portfolio'

    Hoarding loads of patents may seem impressive, but eating them to survive is impossible if not impermissible

  13. LOT Network is a One-Man (Millionaire's) Operation and Why This Should Alarm You

    The ugly story of Open Invention Network (OIN) and LOT; today we take a closer look at LOT and highlight a pattern of 'cross-pollination' (people in both OIN and LOT, even at the same time)

  14. Faking Production With Fake Patents on Software

    The EPO with its illegal guidelines (in violation of the EPC) can carry on churning out millions of fake patents that European courts would only waste time on and small companies be blackmailed with (they cannot afford legal battles)

  15. With the Unified Patent Court (UPC) Out of the Way Focus Will Return to EPO Corruption

    Expect the European Patent Office (EPO) to receive more negative attention now that the ’cause’ of UPC is lost and there’s no point pretending things are rosy

  16. IRC Proceedings: Thursday, March 26, 2020

    IRC logs for Thursday, March 26, 2020

  17. Links 27/3/2020: qBittorrent 4.2.2, Krita 4.2.9, pfSense 2.4, Bodhi Linux 5

    Links for the day

  18. IRC Proceedings: Wednesday, March 25, 2020

    IRC logs for Wednesday, March 25, 2020

  19. Still Work in Progress: Getting Those 2,851 Pages of Police Report About Arrest for Pedophilia in Home of Bill Gates

    It’s extremely difficult to get those police records, which were requested exactly one day before the media started attacking Richard Stallman (associating him with pedophiles based on a deliberate distortion)

  20. Links 26/3/2020: Plasma Bigscreen, New Kubernetes, Fedora's New Identity and Bodhi Linux 5.1.0

    Links for the day

  21. Guest Article: Window Managers, Github and Software Disobedience

    "Walking away from monopolies is the essence of freedom"

  22. Links 25/3/2020: LLVM 10.0.0 and UCS 4.4-4 Released, WordPress 5.4 RC4

    Links for the day

  23. 'Team UPC' Last Week

    The looks on Team UPC's faces 5 days ago (before and after the 9:30AM announcement)

  24. The Fall of the UPC - Part VII: Lies and Revisionism About the Reasons for the UPC's Ultimate Demise (to Leave the Door Open for More Failed Attempts)

    The media was lying in a hurry, in a coordinated effort to distort the meaning of the FCC's decision or belittle the impact of this decision; Techrights will carefully watch and respond to these lies

  25. IRC Proceedings: Tuesday, March 24, 2020

    IRC logs for Tuesday, March 24, 2020

  26. Linux Foundation Became Anti-Linux, Run by Microsoft People to Serve Microsoft's Agenda

    Microsoft is taking over the bodies of healthy projects, infecting the hosts in order for them to become slaves of the proprietary parasite; there's still no (known) cure, but we're familiar with the symptoms

  27. Microsoft Continues to Attack and Steal From the Open Source/Free Software Communities

    Microsoft cannot be trusted and there's no "new Microsoft," as another fairly new story serves to show

  28. Targeted Attack Leveraging FSF Servers

    Targeted by a determined and persist perpetrator, I've received over 20,000 E-mails. And the weapon of choice was the FSF's infrastructure, remotely misused against yours truly.

  29. If We Weren't Silencing Founders, Critics and People We Just Don't Like

    "In the long run, history is rarely very kind to tyrants, especially the ones who did little more than lie to people and demand things that served no real purpose."

  30. The Fall of the UPC - Part VI: Drowning in Material

    We're starting to see few good reports on the subject of UPC being rejected by the constitutional court of Germany; we also have a rapidly-growing 'buffer' of rather blatant examples of disinformation (which we'll tackle as best we can)

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts