New Venom flaw may be worse than Heartbleed, researchers warn

With the digital world still recovering from the Heartbleed bug, there's a new nastily named vulnerability in town, and its consequences could be even more catastrophic. The zero-day flaw could theoretically allow an attacker to take over a data centre from within.

CrowdStrike's Jason Geffner, who found the bug, has christened it Virtualized Environment Neglected Operations Manipulation - or Venom for short.

It uses a bug inside a legacy virtual floppy disk controller that then allows someone to jump around inside a server on to virtual machines and operating systems that they shouldn't have access to.

The vulnerability was discovered in open source computer emulator QEMU and dates back to 2004. QEMU is used by many modern virtualization platforms, including Xen, KVM and Oracle's VirtualBox. VMWare, Microsoft Hyper-V and Bochs are unaffected.

Millions of machines

"Millions of virtual machines are using one of these vulnerable platforms," Geffner explained to ZDNet. "Heartbleed lets an adversary look through the window of a house and gather information based on what they see; Venom allows a person to break into a house, but also every other house in the neighbourhood as well."

To put it another way, once a hacker has gained access to one part of a data centre, it's possible for that person to then snoop around the rest of it - even if the servers are owned by different companies or running different software.

The good news is that security experts are already on the case. According to ZDNet, Oracle has already started patching its systems and is planning to release a maintenance update soon.

Those updates will be needed - it already looks like Venom will be the most serious vulnerability of the year.

• Do you remember the Heartbleed bug?