Security vendors move to calm Venom fears

New security vulnerability could affect thousands of organisations

Security vendors such as F5 Networks, FireEye and Citrix have issued advisory notes and patches after a new security vulnerability with the scope to affect thousands of businesses has been found.

The so-called Venom vulnerability affects the virtual floppy disc drive code used by many vendors in their virtualisation products, according to CrowdStrike, which discovered the problem.

"Exploitation of the Venom vulnerability can expose access to corporate intellectual property in addition to sensitive and personally identifiable information, potentially impacting the thousands of organisations and millions of end users that rely on affected virtual machines for the allocation of shared computing resources, as well as connectivity, storage, security, and privacy," the firm said.

On a webpage dedicated to inform the public about its find, CrowdStrike said Microsoft and VMware technology was not affected by the bug, but linked through to a number of other vendors, such as Citrix, FireEye, Rackspace, and F5 Networks, who issued either customer advisories or patches.

The firm said the bug has existed since 2004 and although the technology it affects is outdated, it is still a risk.

"For many of the affected virtualisation products, a virtual floppy drive is added to new virtual machines by default. And on Xen and QEMU [virtualisation products], even if the administrator explicitly disables the virtual floppy drive, an unrelated bug causes the vulnerable code to remain active and exploitable by attackers."