Skip to main content

A MacBook Air laptop is pictured on display at an Apple Store in Pasadena, California July 22, 2013.

Mario Anzuoni/Reuters

While Apple Inc. tried Friday to reassure users of its Mac computers about the threat of the Shellshock bug, security firms started documenting efforts by hackers to exploit the newly disclosed programming flaw.

"We saw the first attempts by criminals to take advantage of this widespread vulnerability," Stefan Ortloff, an analyst at Kaspersky Lab, wrote on his company's security blog.

Another security firm, Alien Vault Labs, also noted attempts to install malicious software through the Shellshock defect, including one malware that appeared to be written by Romanian hackers and was trying to connect to 715 other victims.

Story continues below advertisement

The intruders have not deployed sophisticated viruses so far but Mr. Ortloff cautioned in an interview that "it is not important what kind of software was installed because, when you can exploit a Web server this way, you can install any software."

Shellshock is the common name of a programming flaw officially known as CVE-2014-6271, which affects Unix-based operating systems, including OS X, which runs Apple's Mac computers. Windows users are not affected.

Those machines use an interface called Bash, which is used to send commands directly to the computer's operating system.

Earlier this month, an independent French programmer, Stéphane Chazelas, discovered that Bash could be tricked into allowing additional codes to be tacked at the end of a command, Most Mac users are safe from Shellshock, Apple said Friday, adding that it was working on a software patch to protect those who are vulnerable.

"The vast majority of OS X users are not at risk to recently reported Bash vulnerabilities," Apple spokeswoman Tara Hendela said in a statement.

"Bash ... has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users."

The CVE-2014-6271 vulnerability was only made public Wednesday to give programmers who maintain Bash time to develop a remedy.

Story continues below advertisement

Four-and-a-half hours after the announcement, "we started seeing scans looking for the vulnerability," Waylon Grange, senior malware researcher at Blue Coat Systems wrote on a company blog.

Like other firms, Alien Vault ran a honeypot operation – a server intentionally set up to draw attackers so their methods could be studied.

"We have had several hits in the last 24 hours," Alien Vault director Jaime Blasco wrote on his company website.

One of the malwares detected by Alien Vault appears to be similar to one of those detected by Kaspersky, Mr. Ortloff said.

He said the malware creates a "backdoor" in the infected server, covertly installing a piece of code that can be used to unleash distributed denial-of-service attacks (DDoS).

(In a DDoS, an infected Web server will be commandeered by an intruder to join a network of compromised machines that disable another server by flooding it continuously with bogus requests.) The malware detected by Kaspersky and Alien Vault held a small dictionary of possible default passwords – such as "1234," "guest" or "password" – that it could use to attempt a forced entry elsewhere.

Story continues below advertisement

The malicious code isn't sophisticated and appears to have been an older software hastily reconfigured to exploit Shellshock, Mr. Ortloff said.

As such, there is still no evidence that hackers exploited Shellshock before its existence became public this week. The flaw has existed since Bash was developed in the late 1980s.

In Ottawa, "when the government became aware of this vulnerability, all federal government organizations were directed by the Chief Information Officer for the Government of Canada to patch affected systems on a priority basis," Treasury Board spokeswoman Kelly James said in an e-mailed statement.

"For affected systems where no patch is available, departments have been directed to take those systems offline."

Report an error Editorial code of conduct
Tickers mentioned in this story
Unchecking box will stop auto data updates
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter