- Who is Cletus Kasady, Woody Harrelson’s character in ‘Venom 2’? 5 Years Ago
- What is biometric data? Today 6:30 AM
- Cooking Mama’s return whips up a fresh batch of memes Tuesday 8:18 PM
- Influencer body-shames model, Photoshops photo of self to ‘prove point’ Tuesday 7:27 PM
- Boosie Badazz goes on transphobic rant about Dwyane Wade’s daughter Tuesday 6:34 PM
- Royal Family’s website accidentally links to porn instead of charity Tuesday 5:39 PM
- Republican senator spreads false conspiracy about coronavirus Tuesday 5:11 PM
- New DNA technology could help exonerate Black man serving life sentence Tuesday 4:24 PM
- ‘SNL’s’ Kenan Thompson to host the White House Correspondents’ Dinner Tuesday 3:58 PM
- Singer Summer Walker dragged for insensitive HIV comments Tuesday 2:39 PM
- This video of a teddy bear getting steam cleaned makes a perfect meme Tuesday 2:27 PM
- Ted Cruz goes on Twitter tirade over proposed vasectomy bill Tuesday 2:22 PM
- Billie Eilish says she’s stopped reading Instagram comments Tuesday 2:13 PM
- Christian group blames satanists for Twitter poll results Tuesday 1:41 PM
- Coronavirus has pandemic-themed video games topping charts Tuesday 12:58 PM
Meet Shellshock, the new major security threat to the Internet
This is bad. Really bad.
Hackers have begun creating malicious programs to take advantage of a major new cybersecurity bug discovered this week.
The so-called “Shellshock” bug is already being compared, in terms of the threat it presents, to the Heartbleed vulnerability discovered earlier this year in the OpenSSL cryptographic software library, which is used to encrypt Web traffic.
Discovered by Akamai security researcher Stephane Chazelas in Bash (Bourne-Again Shell), Shellshock primarily leaves Linux and Mac OS X machines at risk. Bash is a command-line interpreter, known commonly as the “terminal” on Mac OS X—it allows users to run programs by typing commands in text, rather than by clicking an icon, among other functions. Shellshock reportedly compromises all versions of Bash up to and including version 4.3.
According to the U.S. government National Vulnerability Database (NVD), Shellshock is highly exploitable (ranked 10/10), does not require attackers to bypass any logins, and can be used to steal information or disrupt affected systems. Apache Web servers are said to be at the most risk due to the high number of processes that rely on Bash, while individuals using Debian-derived systems running Dash, such as the popular Linux distribution Ubuntu, are thought not to be vulnerable.
Here’s programmer and comedian Tom Scott explaining Shellshock as simply as one can:
The first report of Shellshock being exploited “in the wild” was documented by security researcher Yinette. The malware was documented as “CVE-2014-6271.” Numerous other reports have been made showing similar malware in use.
— Yinette (@yinettesys) September 25, 2014
Holy cow there are a lot of .mil and .gov sites that are going to get owned by CVE-2014-6271.
— Kenn White (@kennwhite) September 24, 2014
As reported by ZDNet, security researcher Robert Graham conducted a light scan this morning, and discovered at least 3,000 systems vulnerable to the bug. Graham notes that Shellshock is “wormable,” meaning it can infect other parts of a network once its made its way inside. He writes:
“Consequently, even though my light scan found only 3,000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would ‘game over’ for large networks.”
Researchers analyzing malware said to be exploiting the Shellshock bug have found a variety of functions, which may attempt to steal key user passcodes, or even convert the infected systems into IRC bots used to launch distributed-denial-of-service (DDoS) attacks.
The biggest threat posed by Shellshock right now is that it’s old—really old. That means, unlike Heartbleed, which affected only a specific version of OpenSSL, malware exploiting the bug will find no shortage of targets.
Thankfully, the Linux community has already began releasing patches for Shellshock, which coders say should partially deal with potential attacks. A statement from open-source software company Red Hat advises users to implement the newest version of Bash, which includes an incomplete patch for Shellshock.
“We are working on patches in conjunction with the upstream developers as a critical priority,” the company said.
At the moment, it’s a race between companies working to patch the bug and malicious hackers hoping to take advantage of it. It is not currently clear what risks average Web users face. The Daily Dot will report on more fixes for Shellshock, as they become available.
H/T ZDNet | Illustration by Fernando Alfonso III
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.