The safety and security of our information online are not something that can be neglected anymore, especially not these days, when everyone seems to know how to spy on others and has means to do easily do it. Data breaches now occur literally every day, and hackers can get away with sensitive data that’s otherwise worth millions of dollars. Many several ways of exploiting people can be bought or sold for Bitcoins in the deep web. There were more than 6400 different security vulnerabilities or exposures only during the past year, some of which were pretty big ones, and were found in vendors that are the literal backbone of the entire Internet.
Top 5 Security Vulnerabilities in the year 2016
To demonstrate the biggest of these security vulnerabilities, we’ve decided to create a list of the five biggest ones in 2016:
This is a kernel vulnerability that was discovered last year by Phil Oester, and it can allow users without any privilege to increase the possibilities and escalate their privilege to root. As many of you know, a root is pretty much the highest privilege when it comes to LINUX and UNIX systems, and any user that possesses it has automatic access to all the files.
This is what we call a privilege escalation. Linux uses a technique known as Change-on-Write (COW) when it needs to reduce duplication of memory objects. If an under-privileged user was to utilize the Race condition, they could get the ability to modify any of the read-only objects, which is something that shouldn’t happen. This was the greatest and most dangerous of all security vulnerabilities that were discovered during last year.
For those who don’t know, PHPMailer is an email sending library, and one of the most widely used, at that. Last year, it was discovered by Dawid Golunski that it’s vulnerable to an RCE (Remote Code Execution). What this means, is that basically anyone can potentially execute shell commands on any web server via this flaw. RCE will happen every time when a shell command was set in the “From:” section of an email, and everyone who uses PHPMailer should look for an upgrade as soon as possible.
ImageTragick was discovered last year by Nikolay Ermishki. Many believe it to be the most impactive bug discovered in 2016. It works by allowing code executions that can be activated remotely during conversions of a few file formats, all because of insufficient filtering when it comes to filenames that are passed to delegate’s command. Many different companies and organizations were vulnerable to attacks because of this bug, and it was heavily exploited as well, so it’s not that strange to be one of the most notorious bugs of 2016.
Decrypting RSA with Obsolete and Weakened eNcryption, also known as DROWN, is another one of the biggest bugs from last year, and his one was discovered to exploit flaws in SSLv2, in a way that allows hackers to decrypt any communications that work by using SSL or TLS. When it comes to categorizing this attack, its most accurate description would be a cross-protocol attack. Basically, anyone who has SSLv2 enabled on their server is vulnerable to DROWN. With that in mind, it’s not surprising to find out that 17% of all the servers on the entire internet were exposed to data theft in 2016.
In this day and age, not even images are harmless anymore, which was proved by CVE-2016-4631, a maliciously crafted image that was discovered by Tyler Bohan, a security researcher from the company called Talos Security. Bohan discovered that this vulnerability is quite a threat, especially when it comes to Apple fans.
This attack can cause remote code executions after it creates a heap-based buffer overflow on Apple devices and systems. The threat that this attack poses is truly significant.
There are many other big security vulnerabilities that were both discovered and also patched during the course of 2016. Anyone who is aware of security vulnerabilities like these could easily take the entire internet hostage, and it’s a threat that nobody can ignore. That is why researchers are doing their best to patch every bug up, and why bug bounties can be quite large sometimes. This situation largely increases the need for bug bounty hunters, and it’s better to motivate hackers to report the bugs than to do nothing and let them sell the info to someone who wants to do harm.