Thursday, 25. September 2014

The Shellshock vulnerability, aka the “Bash Bug”

Here you will find the latest blogs from Trend Micro’s experts along with a comprehensive look at the latest vulnerability the “Bash Bug.” We encourage you to scroll through the various blogs, provide comments and enjoy the in-depth knowledge that Trend Micro has to offer. Please add your thoughts in the comments below and follow us on Twitter; @TrendMicro for real time updates.

September 29, 2014 The Register: SMASH the Bash bug! Red Hat, Apple scramble for patch batches

A fresh dump of Shellshock patches were released on Friday night in the latest move to stamp out the Bash shell security vuln that has the potential to blight millions of Linux, Unix and Mac OS X machines. Red Hat said in a blog post that the threat from Shellshock was receding now that patches had been issued for most operating systems affected by the bug.

Information Week:  Shellshock’s Threat To Healthcare

We’ve all seen the news about the next big threat to information systems, Shellshock, which takes advantage of a vulnerability in the now ubiquitous open source Bash shell (Bourne-Again Shell). 

PC World: Improved patch tackles new Shellshock Bash bug attack vectors

System administrators who spent last week making sure their computers are patched against Shellshock, a critical vulnerability in the Bash Unix command-line interpreter, will have to install a new patch that addresses additional attack vectors.

We’re still determining the scope of the #shellshock bug, here’s what you need to know, http://t.co/9QUuQ56vIl /cc @TrendMicro — Mark Nunnikhoven (@marknca) September 29, 2014

September 26, 2014 Deep Discovery – Alerting you to Shellshock exploits

Kevin Faulkner

Today we are releasing new Deep Discovery rules to detect attacks attempting to exploit the recently exposed Shellshock (CVE-2014-6271 and CVE-2014-7169) vulnerability. This vulnerability represents an important and widespread risk to organizations of all sizes. It is found in Bash, the dominant shell for Unix and Linux, and can also be found in Mac OS X, some Windows server deployments, and even Android. That means over 500 million web servers are affected, not to mention desktops, servers and other devices. 

The New York Times: Companies Rush to Fix Shellshock Software Bug as Hackers Launch Thousands of Attacks

A day after the Department of Homeland Security advised Internet users and corporations about a newly discovered software bug that could affect hundreds of millions of systems, hackers had already begun exploiting the bug and companies were rushing to fix the issue for their users.

Washington Post: Shellshock bug could threaten millions. Compared to Heartbleed.

A programming flaw dubbed the “Bash Bug,” or more ominously “Shellshock,” is being described as potential threat to millions of computers, servers, medical devices, power plants and municipal water systems and even common objects such as refrigerators and cameras.

SF Gate: Companies rush to fix Shellshock bug as hackers launch attacks

A day after the Department of Homeland Security advised Internet users and corporations about a newly discovered software bug that could affect hundreds of millions of systems, hackers had begun exploiting the bug and companies were rushing to fix the issue for their users.

Data Knowledge Center: Bash Bug Has Cloud Providers, Linux Distro Firms on High Alert

The widespread critical vulnerability Shellshock is the new Heartbleed. Also dubbed the “Bash Bug,” it affects GNU Bash, a very common open source program. It’s a major vulnerability but might not be a major threat depending on how quickly everything gets patched.

Techlicious: What You Need to Know about the ‘Shellshock Bash’ Bug

Security researchers from around the net are sounding the alarm over a recently discovered computer bug named Shellshock (Bash). It’s a massive security hole that’s arguably worse than the Heartbleed bug from earlier this year. Here’s what you need to know about this new threat, and what you need to know to stay protected from the fallout.

Help Net Security: Bash “Shellshock” bug: Who needs to worry?

As expected, attackers have begun exploiting the GNU Bash “Shellshock” remote code execution bug (CVE-2014-6271) to compromise systems and infect them with malware. After the disclosure of its existence, Alien Vault has begun running a new module in their honeypots and waiting for attackers aiming to exploit this vulnerability.

Star Advertiser: Companies rush to fix Shellshock bug as hackers launch attacks

A day after the Department of Homeland Security advised Internet users and corporations about a newly discovered software bug that could affect hundreds of millions of systems, hackers had begun exploiting the bug and companies were rushing to fix the issue for their users.

Hispanic Business: Trend Micro launches free protection from ‘Bash’

Trend Micro, a leader in security software and solutions, has launched a license-free tools to scan and protect servers, as well as web users, across Mac OSX and Linux platforms, event as ‘Shellshock’ or ‘Bash’ bug continues to raise concern.

The Register: Bash bug: shell shocked yet? You will be… when this goes WORM

Much of the impact of the Shellshock vulnerability is unknown and will surface in the coming months as researchers, admins and attackers (natch) find new avenues of exploitation. The vulnerability, called Shellshock by researcher Robert Graham, existed in the Bash command interpreter up to version 4.3 and affected scores of servers, home computers and embedded devices.

Daily Mail:Could the Bash bug cause an internet MELTDOWN? Hackers scramble to exploit Shellshock flaw as experts warn your details may be at risk

Hackers have begun exploiting the devastating Bash bug, using worm viruses to scan for vulnerable computers before infecting them. The Bash bug, also known as ‘Shellshock’, is a flaw in a piece of software known as ‘Bash’ that runs the command prompt on many Unix computers.

The Inquirer:Hackers take advantage of Bash Shellshock bug as developers rush to patch

The full implications of the Bash bug, or Shellshock vulnerability, are beginning to sink in across the IT sector, as hackers scramble to take advantage before the flaws are patched.

The Independent: Shellshock: Criminals may already be exploiting ‘biggest ever computer bug’

Criminals may already be accessing people’s personal data by exploiting a massive security flaw affecting hundreds of millions of computers and other devices across the world, the UK’s privacy regulator has warned.

PC Mag: Apple: Most Mac Users Safe From ‘Shellshock’

Most Apple Mac owners can breathe easy following news of the Shellshock bug.

The flaw impacts Bash, a widely used command interpreter also implemented by the Mac operating system. If exploited, hackers can gain complete control over a targeted system.

ZDNet: Shellshock: How to protect your Unix, Linux and Mac servers

The only thing you have to fear with Shellshock, the Unix/Linux Bash security hole, is fear itself. Yes, Shellshock can serve as a highway for worms and malware to hit your Unix, Linux, and Mac servers, but you can defend against it.

 September 25, 2014 What You Need To Know About Shellshock, aka the “Bash Bug” - Mark Nunnikhoven

This week brings us another wide spread, critical vulnerability that required immediate attention. Perhaps even larger in scope than Heartbleed, Shellshock affects a very common open source program called “bash.”

Associated Press: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

ABC News:Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

The Huffington Post: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Miami Herald: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Minneapolis Star Tribune: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Houston Chronicle: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Austin American Statesman: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Philly.com: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

San Jose Mercury News: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

MyNorthwest.com: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

The Seattle Times: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

The Washington Examiner: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Xfinity: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

The Buffalo News: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

The Telegraph: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Santa Cruz Sentinel Business:  Q&A: Experts warn of Bash Bug, what are the risks?     

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Daily Herald: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Winston-Salem Journal: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Beaumont Enterprise: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

San Antonio Express-News: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

KSWO-TV: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Daily American: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Gettysburg Times: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare. 

DarkReading: Bash Bug Impacts Basically Everything, Exploits Appear In Wild

CGI-based web servers are the biggest target, but other web servers, hosting services, embedded systems, Mac OSX, and IoT endpoints are all at risk.

“Shellshock,” the critical remote command execution Bash bug disclosed yesterday, is now being exploited in the wild. Some affected software companies have released patches (which only partially fix the problem), but many others have not — which is troubling, because Shellshock can be found all over the place.

The Washington Post: Why Shellshock is bad news for the Internet of things

A major flaw in a piece of open source code that affects Mac OS X  and Linux users has cybersecurity professionals scrambling to identify and patch vulnerable machines – but embedded devices making up the so-called “Internet of Things” could be among the worst hit by the bug.

Forbes: Why You Could be at Risk from Shellshock, A New Security Flaw Found in Linux

There has recently been a deluge of serious defects in the public eye that have allowed attackers to exploit all manner of devices–Heartbleed being the most prominent of late. Now another bug has surfaced and it is pretty ‘point and click’ simple to attack. You should act now.

BBC: Shellshock: ‘Deadly serious’ new vulnerability found

A “deadly serious” bug potentially affecting hundreds of millions of computers, servers and devices has been discovered. The flaw has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple’s Mac operating system.

Decoded Science: Shellshock Bash Bug:  Red Hat Issuing Patches, Is your Mac In Danger?

Mac systems, beloved the world over for their higher levels of security when compared to Windows machines, are now the potential victims of a bug called ‘Shellshock’. (Linux, Ubuntu, and others are also affected.)

Ars Technica: Bug in Bash shell creates big security hole on anything with *nix in it

The Bash vulnerability, now dubbed by some as “Shellshock,” has been reportedly found in use by an active exploit against Web servers. Additionally, the initial patch for the vulnerability was incomplete and still allows for attacks to succeed, according to a new CERT alert. See Ars’ latest report for further details, our initial report is below.

PC World: ‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux, more open to attack

Well, this isn’t good. Akamai security researcher Stephane Chazelas has discovered a devastating flaw in the Unix Bash shell, leaving Linux machines, OS X machines, routers, older IoT devices, and more vulnerable to attack. “Shellshock,” as it’s been dubbed, allows attackers to run code on your machine after exploiting the flaw, but the true danger here lies in just how old Shell Shock is—this vulnerability has apparently been lurking in the Bash shell for years.

ZDNet: First attacks using ‘shellshock’ Bash bug discovered

Within a day of the Bash bug dubbed ‘shellshock’ being disclosed, it appears that attackers are already looking for ways to use it for their advantage. Security researchers have found proof of concept code that attempts to exploit the serious bug discovered this week in Bourne-Again Shell, also known as Bash, which according to US CERT affects both Linux and Mac OS X. 

The Guardian: What is the Shellshock bug? Is it worse than Heartbleed?

Security experts are warning that a serious flaw named Shellshock could be about to affect many of the world’s web users.Some analysts warn it could be worse than Heartbleed, a vulnerability within web encryption library OpenSSL which caused a stir this year as it theoretically allowed attackers to take over websites.

C|NET: ‘Bigger than Heartbleed’: Bash bug could leave IT systems in shellshock

Just months after Heartbleed made waves across the Internet, a new security flaw known as the Bash bug is threatening to compromise everything from major servers to connected cameras.

Tom’s Guide: ‘Shellshock’ Flaw Found in Mac OS X, Linux

A fundamental flaw in one of the most basic functions of OS X, Linux, UNIX and related operating systems was revealed and patched today (Sept. 24) by software developers. The Bash “shell,” or command-line interface for UNIX-like systems, allows injection of random, possibly malicious, codefollowing commands, and automatically executes that code without verifying it. Today’s patch prevents that code execution.

The Register: Patch Bash NOW: ‘Shell Shock’ bug blasts OS X, Linux systems wide open

A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the internet at large. It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.

The Independent: Shellshock: Bash bug ‘bigger than Heartbleed’ could undermine security of millions of websites

A security flaw discovered in one of the most fundamental interfaces powering the internet has been described by researchers as ‘bigger than Heartbleed’, the computer bug that affected nearly every computer user earlier this year.

Washington Post Blog: The Switchboard: Meet Shell Shock, the security bug experts say is worse than Heartbleed

New Bash software bug may pose bigger threat than Heartbleed. Reuters reports: “Bash is the software used to control the command prompt on many Unix computers. Hackers can exploit a bug in Bash to take complete control of a targeted system, security experts said. . . . The ‘Heartbleed’ bug allowed hackers to spy on computers but not take control of them, according to Dan Guido, chief executive of a cybersecurity firm Trail of Bits.”

The Sydney Morning Herald: Shell Shock: Bash bug labelled largest ever to hit the Internet

A new security vulnerability found in everything from iPhones and laptops to light bulbs and web cameras has been dubbed by security experts as worse than Heartbleed, the bug found earlier this year that affected almost every device.

Politico: Bugging out: New vulnerability bigger than Heartbleed? – Heads may still roll at Home Depot – Another breach: Jimmy John’s

A newly discovered vulnerability could put wide swaths of the Web at risk — possibly even more than the Heartbleed bug in April that set the Internet afire with concern. IT administrators worldwide are racing to patch the “Shell Shock” or “Bash Bug” vulnerability, which affects one of the most widely used interfaces in Linux and Unix operating software.

The Seattle Times: Q&A: Experts warn of Bash Bug, what are the risks?

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to computers and other devices such as home Internet routers. Even the systems used to run factory floors and power plants could be affected.

Quartz: This is how the “Shell Shock” bug imperils the whole internet

It’s a hacker’s wet dream: a software bug discovered in the practically ubiquitous computer program known as “Bash” makes hundreds of millions of computers susceptible to hijacking. The impact of this bug is likely to be higher than that of the Heartbleed bug, which was exposed in April.

Mashable: In the Wake of Shellshock, Mac Users Are Left Waiting for a Patch

A new vulnerability called Shellshock — also called the “Bash Bug” — is affecting both Linux computers and Macs, and it has the potential to let attackers take control of your computer as well as gain access to data and services in the cloud.

InfoWorld: Four no-bull facts about the Shellshock Bash bug

In barely the course of a day, word of the Shellshock exploit has reached Heartbleed-level proportions. But like any security hole du jour, it’s easy to see only the hype and not the hard truth. Here are four of the most crucial details about Shellshock and its implications.

TechRadar: Bash vulnerability: All you need to know

The BASH vulnerability has been dubbed one of the most serious vulnerabilities ever to be discovered and like Heartbleed back in April, has left many system administrators (Linux, UNIX and Mac OS X) scrambling for cover. TechRadar Pro asked Craig Young, security researcher at Tripwire, more about what GNU’s Bourne Again Shell’s affliction.

Facebook 



Twitter

Here’s what you need to know about #Shellshock. http://t.co/NjXqe5KHlW #BashBug pic.twitter.com/tWgTWVctLy — Trend Micro (@TrendMicro) September 25, 2014

LinkedIn