RT @dailylinuxuser: How 2 protect urself from #Shellshock. If u haven't updated ur #Linux operating system do it now. http://ow.ly/BWHCs
The recently disclosed bug in bash was bad enough as a theoretical exploit; now, reports Ars Technica, it could already be being used to launch real attacks.
In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable "just on port 80"—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion web pages that at least partially fit the profile for the Shellshock exploit.
More bad news: "[T]he initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry." And CNET is not the only one to say that Shellshock, which can affect Macs running OS X as well as Linux and Unix systems, could be worse than Heartbleed.- #ShellShock, ouch. GuardRail can scan your nodes to find affected versions of bash in seconds. http://hubs.ly/y09mRp0 pic.twitter.com/PmLzWZVYDR
- And the word "open" does not figure in @fsf's own statement: http://www.fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability … — because #bash is not open at all. #shellshock
- Concern over Bash vulnerability grows as exploit reported “in the wild” http://ars.to/1rlXyRU by @thepacketrat
