Yes, it has been that kind of a week.
Here is my picks of news and link summaries for the Shellshock/Bash-bug exploit that hit the InterWebs this past week.
Again, like BadUSB, it pays to be familiar with these exploits and trends even if you “think” you are safe in a Windows environment.
Everything you need to know about the Shellshock Bash bug - Troy Hunt’s blog. And to address that “We’re on Windows so we are safe” thought, let me quote directly from Troy’s post above:
All our things are on the Microsoft stack, are we at risk?
Short answer “no”, long answer “yes”. I’ll tackle the easy one first – Bash is not found natively on Windows and whilst there are Bash implementations for Windows, it’s certainly not common and it’s not going to be found on consumer PCs. It’s also not clear if products like win-bash are actually vulnerable to Shellshock in the first place.
The longer answer is that just because you operate in a predominantly Microsoft-centric environment doesn’t mean that you don’t have Bash running on machines servicing other discrete purposes within that environment. When I wrote about Heartbleed, I referenced Nick Craver’s post on moving Stack Overflow towards SSL and referred to this diagram of their infrastructure:
There are non-Microsoft components sitting in front of their Microsoft application stack, components that the traffic needs to pass through before it hits the web servers. These are also components that may have elevated privileges behind the firewall – what’s the impact if Shellshock is exploited on those? It could be significant and that’s the point I’m making here; Shellshock has the potential to impact assets beyond just at-risk Bash implementations when it exists in a broader ecosystem of other machines.
FREE Pluralsight Course: Understanding the Shellshock Bash Bug - Troy Hunt’s blog. Troy offers a free 35+ minute training presentation going over the Shellshock Bash Bug. It should be a great review that everyone in the security or IT administration community should take advantage of.
The anatomy of a Shellshock attack in the wild - Troy Hunt’s blog.
So what harm could be done? Um…plenty.
- New bash bug could wreak havoc on Linux and OS X systems - Malwarebytes Unpacked
- Website Security - Shell Shock Vuln Actively Attacked - Sucuri Blog
- Shellshock a Week Later: What We Have Seen - SpiderLabs Anterior
- Shellshock in the Wild - FireEye Blog
- Inside Shellshock: How hackers are using it to exploit systems - CloudFlare blog
- Concern over Bash vulnerability grows as exploit reported “in the wild” [Updated] - Ars Technica
- Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware - Trend Micro’s Security Intelligence Blog
- Shellshock attacks spotted in wild [Updated Sept 26] - Zscaler Research
- The Shellshock Aftershock for NAS Administrators - FireEye Blog
Even more reading…
- Bash Vulnerability Leads to Shellshock: What it is, How it Affects You - Trend Micro’s Security Intelligence Blog
- ‘Shellshock’ Bug Spells Trouble for Web Security - Krebs on Security
- HP Security Research: GNU Bash vulnerability "Shellshock" (CVE-2014-6271) - HP Enterprise Business Community
- Shellshock - How Bad Can It Get - Trend Micro’s Security Intelligence Blog
- The Bash Bug Makes Every Mac Vulnerable; Here's How To Patch It - ReadWrite
- New “Shellshock” patch rushed out to resolve gaps in first fix [Updated] - Ars Technica
- Still more vulnerabilities in bash? Shellshock becomes whack-a-mole - Ars Technica