26-09-2014, 19:29 #1
[EN] Shellshock: Hackers Launch Thousands of Attacks
A day after the Department of Homeland Security advised Internet users and corporations about a newly discovered software bug that could affect hundreds of millions of systems, hackers had already begun exploiting the bug and companies were rushing to fix the issue for their users.
The bug, called Shellshock, affects a widely used piece of software, called Bash, which is a sort of interpreter software that is used in an array of software, including Mac’s OS X operating system. The bug could be used by hackers to take control of a machine or run programs surreptitiously in the background.
In a statement, Apple said that most of its OS X users were not at risk from the Shellshock bug because Apple’s default settings protect users from remote exploits, like the kind cybercriminals would need to use to infiltrate a personal desktop or laptop computer. The company noted, however, that if users had reconfigured their advanced Unix services (underlying code in OS X) they might face issues.
“We are working to quickly provide a software update for our advanced Unix users,” the company said in its statement.
Early Friday afternoon, the patch was not yet available.
Initially, security experts also expressed alarm that all smartphones on Google’s Android operating system would be affected. Google said on Friday, however, that Android used an alternative to Bash, called Mksh, which did not contain the vulnerability. But security experts noted that because Android is an open-source software, many corporations and users tweak it and incorporate it into other products, which could use Bash. The message is that Android users should still check to see if they are vulnerable.
Trend Micro, the security firm, said it was moving quickly to release license-free tools to scan and protect vulnerable servers, as well as web users, across Mac OS X and Linux platforms.
An official alert from the National Institute of Standards and Technology warned that the vulnerability was a 10 out of 10, in terms of its severity, impact and ability to be exploited, but low in terms of its complexity, meaning that it could be easily used by hackers.
Security researchers say that as soon as the bug was reported they detected widespread Internet scanning by so-called white hat hackers — most likely security researchers — as well as people thought to be cybercriminals. The worry is that it is only a matter of time before somebody writes a program that will use Shellshock to take over machines.
On Friday, researchers at Incapsula, the security firm, said that just in the previous 24-hour period, they had witnessed 17,400 attacks, at an average rate of 725 attacks per hour. The researchers said that more than 1,800 web domains had been attacked and that the attacks originated from 400 unique I.P. addresses– more than 55 percent of those in China and the United States.
The Department of Homeland Security’s Computer Emergency Readiness Team, US-CERT, advised users and technology administrators to refer to their Linux or Unix-based operating systems suppliers for an appropriate patch.
For users at home, security experts advised them to stay on top of software updates and check manufacturer websites, particularly for hardware like routers.
26-09-2014, 19:39 #2
"Curiosamente" o NYT centra fogo na Apple, isenta o Google/Android, menciona ligeiramente o Linux e o Unix, e nem toca no nome do ChromeOS.
Quanto aos "hackers", tem sido afirmado em outras publicações que a maioria dos "ataques" não passa de sondagens de empresas de segurança para elaborar estatisticas (leia-se obter publicidade) e depois vender serviços.
Última edição por 5ms; 26-09-2014 às 19:41.
26-09-2014, 19:58 #3
Bash Bug Has Cloud Providers, Linux Distro Firms on High Alert
A turma do Linux sem medo de ser feliz se apropriou de tudo, mas quando dá pau aí é GNU.
The widespread critical vulnerability Shellshock is the new Heartbleed. Also dubbed the “Bash Bug,” it affects GNU Bash, a very common open source program. It’s a major vulnerability but might not be a major threat depending on how quickly everything gets patched.
The GNU Bash bug is widespread and requires very little technical knowledge to exploit. It allows someone to remotely take control of a system that uses Bash. It is on par with the recent Heartbleed vulnerability in terms of the scale of potential damage.
GNU Bash is a command shell used on Linux, Mac OS X and BSD. Linux is everywhere. It’s on more than half the servers on the Internet, on Android phones, and most connected devices collectively referred to as the “Internet of Things,” thanks to Linux being open source and often the OS of choice for web stuff.
Complicating the matter is the fact that there are many Linux distributions. All of the major distribution providers have released a patch available in the base repository that provides at least a partial fix. Many are working feverishly towards fixing the vulnerability.
Cloud and hosting providers are all trying to keep customers safe. Given the amount of customers on a cloud and the amount of control they have over configurations, the vulnerability is a major concern.
This problem is not unique to one service provider, though all providers are notifying customers. Rackspace, for example, is advising customers to patch, and others are providing ongoing status or rolling out patches to those that have automatic updates.
Popular digital currency Bitcoin is also a potential target. Bitcoin Core is controlled by Bash, possibly affecting Bitcoin miners and systems. Given the worth of Bitcoin, it’s a potentially attractive target, according to Trend Micro.
Major Linux distro provider Red Hat updated customers today: “Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.
27-09-2014, 12:28 #4
Oracle warns customers on Shellshock bugOracle warned customers on Friday that more than 30 products are vulnerable to the Shellshock bug, including its high-end Exadata computer systems.
Oracle said it has only prepared fixes to address the Shellshock vulnerability in two products, the Oracle Linux and Solaris operating systems.