Shellshock
Latest
The problem with 'pumpkin spice' security bugs
Bad Password is a hacking and security column by Violet Blue. Every week she'll be exploring the trendy new cyberhysteria, the state of the infosec community and the ever-eroding thing that used to be called "privacy." Bad Password cuts through the greed, fear mongering and jargon with expertise, a friendly voice and a little levelheaded perspective. When asked, "Why give a vulnerability a website, logo and brand image?" many infosec professionals will confidently answer that flamboyant bugs raise awareness toward fixes. Fixing and patching, we're led to believe, is almost as fun as a trip to the dentist. Which is true. Heartbleed, Shellshock, Stagefright, Sandworm, Rootpipe, Winshock and the truly terror-inducing nom-de-sploit POODLE are not, in fact, a list of situational phobias. These were named with intent to become PR markers -- although looking at the way some of these vulns (vulnerabilities) got their names and brands, it seems like the focus was more on the credit for naming them, rather than the actual usefulness of trying to "pumpkin spice" a bug.
Attackers hit Yahoo using the Shellshock bug, but your data is safe
Looks like it didn't take long for the Shellshock security flaw to claim its first major victim. Yahoo has confirmed to both Future South Technologies and SecurityWeek that hackers used the command line exploit to breach at least two of its servers. Future South's Jonathan Hall found that the Romania-based intruders were using Shellshock to slowly hijack servers (including those of other companies) and build up an "arsenal" for hitting increasingly valuable targets, particularly Yahoo Games.
Apple releases OS X bash Update 1.0
If you've been worried about the recent discovery of a security flaw called Shellshock in the bash UNIX shell, you can rest easier. Apple released OS X bash Update 1.0 to fix the issue, which made it possible for a remote attacker to execute arbitrary shell commands. According to the release notes for the update, "an issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement." The update incorporated a suggested change that resets the parser state, and also added a new namespace for exported functions. Versions of the patch are not only available for OS X Mavericks (see link in first paragraph), but also for OS X Lion, OS X Mountain Lion, and OS X Lion Server. TUAW also posted instructions on patching OS X for the bash/Shellshock vulnerability last week.
Apple updates OS X to protect 'advanced UNIX users' from Shellshock
Although OS X is among the systems listed as vulnerable to the recently-uncovered Shellshock / Bash security flaw (still not sure what that is? Let us explain.), Apple has said it isn't a problem for most users. For those potentially vulnerable due to enabling certain UNIX services, 9to5Mac reveals the company has just pushed patches for the Mavericks, Lion and Mountain Lion versions of its desktop operating system. You can download the updates from Apple's website now, and it should be available via software update soon. [Image credit: Robert Graham, Twitter]
The Shellshock command security flaw isn't really fixed yet
Don't get too comfy just because companies are rolling out patches for the Shellshock security bug -- as it turns out, even updated websites and devices remain at risk. Developers are reporting that they can still run any code they like (and thus hijack systems) through the bash command shell simply by using instructions that aren't covered by existing safeguards. You can use a common variable like "cat" (concatenate) to bypass the defenses, for instance. The only surefire fix may be a fundamental change to how the shell handles variables, which could break legions of apps and services. You still don't have much reason to worry about your home Mac or Linux PC, but it's now considerably less likely that the sites and connected gadgets you use will will be truly immune to Shellshock-based attacks. [Image credit: Robert Graham, Twitter]
Apple: most users safe from Bash security flaw, Shellshock fix coming soon
Red Hat security researchers this week discovered a vulnerability in Bash, a command interpreter or shell that is found in Unix, Linux and OS X. The flaw potentially allows malicious hackers to run arbitrary commands and gain control over a vulnerable machine. Following the discovery of this bug, Apple responded to iMore and confirmed that "the vast majority of OS X users are not at risk to recently reported bash vulnerabilities." Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users," the spokesperson said. Apple doesn't specify which advanced Unix services are involved in Shellshock, nor does the company provide a timeframe for the upcoming fix. If you want to learn more about Shellshock, Troy Hunt has an excellent guide that details the vulnerability and how it compromises web-connected devices. You also can use this script and instructions from our own TJ Luoma to recompile Bash and disable the Shellshock bug ahead of Apple's upcoming fix.
What is the Shellshock Bash bug and why does it matter?
By now you may have heard about a new bug found in the Bash shell. And unless you're a programmer or security expert, you're probably wondering if you should really worry. The short answer is: Don't panic, but you should definitely learn more about it, because you may be in contact with vulnerable devices. This bug, baptized "Shellshock" by Security Researchers, affects the Unix command shell "Bash," which happens to be one of the most common applications in those systems. That includes any machine running Mac OS X or Linux. The "shell" or "command prompt" is a piece of software that allows a computer to interact with the outside (you) by interpreting text. This vulnerability affects the shell known as Bash (Bourne Again SHell), which is installed not only on computers, but also on many devices (smart locks, cameras, storage and multimedia appliances, etc.) that use a subset of Linux.
'Bash' command flaw leaves Linux, OS X and more open to attack
Apparently, the internet has more deep-seated security bugs to worry about than Heartbleed. Researchers have discovered a longstanding flaw in a common Unix command shell (bash) for Linux and Macs that lets attackers run any code they want as soon as the shell starts running. They can effectively get control of any networked device that runs bash, even if there are limits on the commands remote users can try. That's a big problem when a large chunk of the internet relies on the shell for everyday tasks -- many web servers will call on it when they're running scripts, for example.
CD Projekt Red's 'Cyberpunk' inspired by System Shock, Blade Runner [Update]
The Witcher series developer CD Projekt Red is deriving its latest game, Cyberpunk, from the pen-and-paper game of the same name – but that's not where all of its direction is coming from. Cyberpunk draws inspiration from William Gibson novels, Blade Runner, the Ghost in the Shell anime and manga, System Shock and "the first part of Deus Ex," community manager Marcin Momot says.Cyberpunk will remain faithful to its source material, traversing the world but focusing on a specific venue pivotal to the franchise, Night City. Cyberpunk will have an "open, living world" with more customization options than players had with Geralt in The Witcher games. Players will be able to change their stats, equipment, implants and more.The role system comes straight from the pen-and-paper Cyberpunk, and "as opposed to the regular fantasy set-up with mages, warriors and archers, we're going for something different," Momot says. "In Cyberpunk, each character role will offer a set of special skills that will impact your stats in many different ways."Update: Yes, what was first written in the interview as "Shellshock" was supposed to be "System Shock," and CD Projekt Red has altered the text to reflect this. If you don't believe it really said "Shellshock," ctrl+f the comments in the source. We were just as confused as you.
Shellshock 2 experiments with drug lore of 'Nam, just in time for holidaze
Shellshock 2: Blood Trails is Rebellion's sequel to the Killzone gang's Shellshock: Nam '67 (shucks, we must've missed that one). This second tour of doodie, brought to you by Eidos, is presented with this thumb-tingling pitch: "a brutal and twisted psychological first person shooter, coming to disturb your Christmas." (We prefer our holidays quite undisturbed, thank you.)What we're dealing with appears to be a rehash of Jacob's Ladder, replacing the film's "The Ladder" drug (loosely based on BZ) with "Whiteknight" ("an enemy that ultimately has no side") -- oh, and scantly clad babe-soldiers. Or is that just one of the frightening hallucinations...? Dah-dah-dumb.%Gallery-33094%
Rebellion to develop Shellshock sequel for sure
UK developer Rebellion has declared its intention to take a break from the PSP and instead focus on those newfangled home consoles it keeps hearing so much about. After churning out several portable games based on licenses such as Star Wars, The Simpsons and Alien vs. Predator, Rebellion plans to dip into more original properties, as well as those found in its 2000AD comic book business. Before that happens though, the developer will be piecing together a PlayStation 3 and Xbox 360 sequel to Shellshock, Eidos' critically panned third-person Vietnam shooter. (Hey, it could be worse!)Rebellion CEO Jason Kingsley told GamesIndustry.biz that the end result would be a "mature product" and "a bit like Jacob's Ladder or Apocalypse Now in movie terms." Despite "challenging the nature of war, the horror and why people do these horrific things to each other," Kingsley assured all that Shellshock 2 is "looking absolutely lovely." Expect to learn more about people doing horrific things to each other in 2008.
