Venom Security Threat: Better Business Bureau Says Most Don’t Need to Worry

May 13, 2015

Arlington, VA
Better Business Bureau is telling consumers and businesses not to panic over a newly-discovered security vulnerability, dubbed VENOM for “Virtualized Environment Neglected Operations Manipulation” by the researcher at the technology security firm CrowdStrike who discovered it.

“Although the vulnerability is widespread, it’s not likely to impact individual consumers or the majority of small businesses,” said Bill Fanelli, chief security officer at the Council of Better Business Bureaus. “It’s being compared to Heartbleed, but VENOM would take much more skill and planning to exploit. Fortunately, it was discovered by one of the good guys before the bad guys figured it out.”

The vulnerability has existed for more than a decade in the floppy disk code of many virtual machines that are housed together on a single server, potentially allowing malicious code to move from one system to another. The potential damage of VENOM is enormous, but patches were released this morning for most affected vendors, and most cloud-based vendors are already working to close the hole. Fanelli confirmed that BBB servers are protected and that BBB data on 4.7 million businesses, including millions of consumer complaints, are secure.

BBB advises that most consumers and small businesses do not need to do anything:

  • You are safe if:
    • You have no virtual machines
    • Your virtual machines are VMware and Microsoft Hyper-V
    • You need to take additional action if:
      • You have other types of virtual machines such as Xen, KVM, Oracle's VirtualBox, or other Linux variants
      • You have services in the cloud that might use vulnerable virtual machines

For technical details, see