'Venom' flaw discovered in cloud security

Cloud providers scrambled Wednesday to patch a bug that could potentially let hackers take over their entire operating system.

Researchers at security firm CrowdStrike revealed the flaw, dubbed “Venom,” Wednesday morning. They warned it could expose intellectual property and personal data at the thousands of organizations — and their millions of customers — using cloud hosting.

ADVERTISEMENT

Cloud hosting gives companies a cost-effective way to store information, bolster security and run their network by relying on shared computing resources.

Cloud service providers, such as Amazon Web Services (AWS) and Rackspace, keep each company’s data segregated by creating a “virtual machine” for each firm. The machines were thought to be walled off from one another within the server, reducing fears that hackers could infiltrate every firm’s database simply by cracking one virtual machine.

But the Venom flaw shattered that notion Wednesday.

“This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host,” CrowdStrike said.

The bug has existed since 2004, CrowdStrike said.

While Venom was initially compared to the "Heartbleed" bug — a massive Web encryption flaw that put bank accounts, emails and nearly all websites at risk — many security researchers tamped down fears throughout the day.

“Just because millions of hosts are vulnerable, does not mean that they will actually be exploited,” said Jeff Williams, chief technology officer at Contrast Security, by email. “Most likely, they will all get patched quickly and we can get back to business.”

Indeed, Amazon speedily issued a statement emphasizing, “There is no risk to AWS customer data.”

Others, such as Rackspace, said they had implemented a patch and were “working with customers to fully remediate this vulnerability.”

There is no evidence yet hackers have taken advantage of the possible opening.