Five Reasons to Take Cloud Security More Seriously Just when you think it is safe to move data into the cloud, we get news about a vulnerability that puts cloud security at risk. The new bug is called VENOM, an acronym for virtualized environment neglected operations manipulation. Bill Weinberg, senior director of open source strategy […]
Five Reasons to Take Cloud Security More Seriously
Just when you think it is safe to move data into the cloud, we get news about a vulnerability that puts cloud security at risk.
The new bug is called VENOM, an acronym for virtualized environment neglected operations manipulation. Bill Weinberg, senior director of open source strategy at Black Duck Software, explained it to me in an email:
VENOM is a zero-day vulnerability that breaks down the isolation across virtual machines hosted on QEMU-based hypervisors. Such isolation is viewed as one of the key benefits of virtualization, obviously for security, but also for modularization, scalability, high availability and separation of critical IP. These hypervisors include QEMU itself, Xen (the foundation for Citrix platforms), the Linux Kernel Virtual Machine (KVM) and Oracle’s VirtualBox – the core of the cloud and a myriad of other application domains.
VENOM is being compared to Heartbleed or, by some media and experts, it is being called an even bigger deal than Heartbleed. Jason Geffner, a researcher with CrowdStrike who discovered the bug, was quoted in ZDNet:
Heartbleed lets an adversary look through the window of a house and gather information based on what they see. VENOM allows a person to break in to a house, but also every other house in the neighborhood as well.
Others are a little more skeptical of how dangerous VENOM really is. In Forbes, Zach Lanier, researcher at security provider Accuvant Labs, thinks the bug only rates a “moderate” severity rating and pointed out:
VENOM is an interesting bug, though not unprecedented and no exploits have been seen in the wild, neither have any guest-to-host escapes against a provider been seen before.
The researchers at Symantec also question the comparisons to Heartbleed. In a blog post, they write that the damage that could be done by VENOM really depends on how vulnerable your system is and the type of data you are running in the cloud. Sensitive data could be at great risk, but then, there are a lot of questions about sensitive data in the cloud even in the most secure situations.
This might be the first big vulnerability to hit cloud computing, but as Jeff Williams, CTO at Contrast Security, told me in an email, we shouldn’t be surprised by it:
There’s a lot of old software out there that hasn’t received any scrutiny. For every one of these latent flaws that gets discovered, there are thousands more in operating systems, libraries, components, etc.
Just because millions of hosts are vulnerable, does not mean that they will actually be exploited. Most likely, they will all get patched quickly and we can get back to business. Just like Heartbleed.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba.
Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.
The go-to resource for IT professionals from all corners of the tech world looking for cutting edge technology solutions that solve their unique business challenges. We aim to help these professionals grow their knowledge base and authority in their field with the top news and trends in the technology space.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
