'Venom' Security Vulnerability Threatens Most Datacenters

An anonymous reader sends a report about a new vulnerability found in open source virtualization software QEMU, which is run on hardware in datacenters around the world (CVE-2015-3456). "The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies." The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected. "Dan Kaminsky, a veteran security expert and researcher, said in an email that the bug went unnoticed for more than a decade because almost nobody looked at the legacy disk drive system, which happens to be in almost every virtualization software." The vulnerability has been dubbed "Venom," for "Virtualized Environment Neglected Operations Manipulation."

Open Source Branding

[organgtool]

Not to get too far offtopic, but as a long-time user of open source software, it bothers me that open source software seems to have inferior names for its applications (GIMP, Yakuake, etc) but very marketing-friendly names for its vulnerabilities (Heartbleed, Shellshock, Venom). If you look at closed-source software it is the complete opposite - applications have marketing-friendly names while vulnerabilities are called something like "KBstringofnumbersnobodywillrememberorcareabout". So are open source developers just much better at naming vulnerabilities or are the marketing departments of closed software companies quietly assisting with the naming of open-source vulnerabilities?

Re:Who uses virt floppy anymore

[silas_moeckel]

Yet they don't link to the bug nor can I find anything besides circular references to the Venom announcement.