- Who is Corn Pop? Here are all the theories about the gang leader from Joe Biden’s past Sunday 4:37 PM
- Fresh sexual misconduct allegations against Kavanaugh spur calls for impeachment Sunday 3:28 PM
- Mike Pence says a triple crown winning racehorse bit him Sunday 12:51 PM
- Disney CEO Bob Iger leaves Apple board amid streaming wars Sunday 12:01 PM
- Influencer Destiny Marquez faces backlash for berating Forever 21 employee Sunday 10:32 AM
- Chelsea Handler tackles system racism in ‘Hello Privilege. It’s Me, Chelsea’ Sunday 9:18 AM
- Gun control proposal: Trump, lawmakers considering background check-conducting app Sunday 9:05 AM
- How to stream Browns vs. Jets on Monday Night Football Sunday 7:00 AM
- What are anons? Sunday 6:30 AM
- How to stream Eagles vs. Falcons on Sunday Night Football Sunday 6:00 AM
- How to stream ‘Power’ season 6, episode 4 Sunday 5:00 AM
- How to stream WWE’s Clash of Champions 2019 Saturday 8:00 PM
- How ‘F*ck off Scotland’ became a Scottish rallying cry amid Brexit madness Saturday 6:28 PM
- A Missouri officer resigned after his Islamophobic Facebook posts surfaced Saturday 5:08 PM
- Adding ‘Triggered’ to stock photos of white men creates Netflix comedy special thumbnails Saturday 3:10 PM
Meet Shellshock, the new major security threat to the Internet
This is bad. Really bad.
Hackers have begun creating malicious programs to take advantage of a major new cybersecurity bug discovered this week.
The so-called “Shellshock” bug is already being compared, in terms of the threat it presents, to the Heartbleed vulnerability discovered earlier this year in the OpenSSL cryptographic software library, which is used to encrypt Web traffic.
Discovered by Akamai security researcher Stephane Chazelas in Bash (Bourne-Again Shell), Shellshock primarily leaves Linux and Mac OS X machines at risk. Bash is a command-line interpreter, known commonly as the “terminal” on Mac OS X—it allows users to run programs by typing commands in text, rather than by clicking an icon, among other functions. Shellshock reportedly compromises all versions of Bash up to and including version 4.3.
According to the U.S. government National Vulnerability Database (NVD), Shellshock is highly exploitable (ranked 10/10), does not require attackers to bypass any logins, and can be used to steal information or disrupt affected systems. Apache Web servers are said to be at the most risk due to the high number of processes that rely on Bash, while individuals using Debian-derived systems running Dash, such as the popular Linux distribution Ubuntu, are thought not to be vulnerable.
Here’s programmer and comedian Tom Scott explaining Shellshock as simply as one can:
The first report of Shellshock being exploited “in the wild” was documented by security researcher Yinette. The malware was documented as “CVE-2014-6271.” Numerous other reports have been made showing similar malware in use.
— Yinette (@yinettesys) September 25, 2014
Holy cow there are a lot of .mil and .gov sites that are going to get owned by CVE-2014-6271.
— Kenn White (@kennwhite) September 24, 2014
As reported by ZDNet, security researcher Robert Graham conducted a light scan this morning, and discovered at least 3,000 systems vulnerable to the bug. Graham notes that Shellshock is “wormable,” meaning it can infect other parts of a network once its made its way inside. He writes:
“Consequently, even though my light scan found only 3,000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would ‘game over’ for large networks.”
Researchers analyzing malware said to be exploiting the Shellshock bug have found a variety of functions, which may attempt to steal key user passcodes, or even convert the infected systems into IRC bots used to launch distributed-denial-of-service (DDoS) attacks.
The biggest threat posed by Shellshock right now is that it’s old—really old. That means, unlike Heartbleed, which affected only a specific version of OpenSSL, malware exploiting the bug will find no shortage of targets.
Thankfully, the Linux community has already began releasing patches for Shellshock, which coders say should partially deal with potential attacks. A statement from open-source software company Red Hat advises users to implement the newest version of Bash, which includes an incomplete patch for Shellshock.
“We are working on patches in conjunction with the upstream developers as a critical priority,” the company said.
At the moment, it’s a race between companies working to patch the bug and malicious hackers hoping to take advantage of it. It is not currently clear what risks average Web users face. The Daily Dot will report on more fixes for Shellshock, as they become available.
H/T ZDNet | Illustration by Fernando Alfonso III
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.