Zero Day Weekly: Bash bug Shellshock, jQuery, Amazon's messy EC2 reboot

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending September 26, 2014. Covers enterprise, controversies, reports and more.

This week, the "shellshock" bug brought Bash patching to its knees, Apple stock slipped after a disastrous iOS and security update, jQuery was hacked a second time, and infosec argued about the legitimacy of "junk hacking."

• Red alert for enterprise: The Bash "shellshock" bug affecting Linux and Mac is both serious and dangerous. The 20-year-old bug was discovered this week in Bourne-Again Shell (Bash), which according to US CERT affects nearly all Linux (including Debian, Ubuntu) and Mac OS X deployments. Preliminary scans found it affects thousands of systems; malicious-minded hackers worldwide have raced to exploit it and patches aren't coming fast enough. WIRED reports Shellshock exploits (such as DDoS attacks and botnets/malware) will only increase exponentially. The major attack vectors identified are HTTP requests and CGI scripts. Another attack surface is OpenSSH, through AcceptEnv variables.

#Shellshock DHCP remote code execution proof of concept. Not using wifi until patch. #infosec https://t.co/9WMYAu4UJN pic.twitter.com/583p7frpnz

— Gavin Millard (@gmillard) September 25, 2014

Shellshock does impact almost every major system. You think heartbleed was bad this is DRASTICALLY worse for everyone.

— Sam Marshall (@Dirk_Gently) September 25, 2014

• Amazon Inc. isn't soothing customers anxious about cloud security: This week Amazon revealed it has to reboot its EC2 instances to patch a Xen bug. Silicon Angle said, "The reboots, which will affect instances all over the world, should be completed by the end of this month. Amazon refused to say why it needed to upgrade the instances, but it’s widely believed that a security issue affecting underlying hosts is responsible."

• A jQuery.com Malware Attack Put Privileged Enterprise IT Accounts at Risk not once, but twice in one week. On September 18, 2014, RiskIQ detected credential-stealing malware being loaded onto users’ computers through a drive-by download at jQuery.com -- but the libraries were unaffected. On Wednesday the jQuery websites were hit again with a defacement, and jQuery believes it to be separate attack that "leveraged the same attack vector."

• The new Apple iPhone 6 Touch ID (fingerprint) sensor was hacked this week by the same researcher who hacked the iPhone 5S Touch ID first released last year. On the Lookout blog researcher Marc Rogers wrote, "Sadly there has been little in the way of measurable improvement in the sensor between these two devices. Fake fingerprints created using my previous technique were able to readily fool both devices."

• Junk hacking isn't cool anymore. In the beginning of the week, respected security researcher Dave Aitel caused a stir when he wrote a heated screed demanding the end of what he calls "junk hacking". Addressing hackers Aitel feels use sensationalist "hacks" and entry-grade techniques to hack "junk" to scare people, he called out specific IoT hacks he believes fuel a culture of slacker hackers coasting from conference to conference on a veritable headliners' D-list. Not everyone agrees with Mr. Aitel.

So am I understanding the whole "junk hacking" thing correctly? Do we hate highlighting nonexistent security now?

— Josh Watson (@josh_watson) September 23, 2014

#Junkhacking results in #junkpatents http://t.co/iAfJltDZro @daveaitel

— Jim Denaro (@CipherLaw) September 24, 2014

• TripAdvisor subsidary Viator was hit by a massive data breach that exposed payment card details, account credentials, usernames and passwords of its customers, affecting approximately 1.4 million accounts. Viator first learned of the breach in early September from its payment card service provider "that unauthorized charges occurred on a number of our customers' credit cards." Viator was acquired by TripAdvisor in July for $200 million. According to a TripAdvisor spokesperson, TripAdvisor was not impacted by the breach and further, "Viator and TripAdvisor are operated on separate systems with different design and security attributes, and with no overlap."

• Microsoft Inc. launched its Online Services Bug Bounty Program, including Office 365 and with rewards starting at $500. The company provided a list of domains available for hacking, as well as a list of vulns that don't qualify for bounties.

• IBM Security Intelligence reported that Tinba Malware is Reloaded and Attacking Banks Around the World, publishing a slew of details and interesting findings. The variant is "joining Gameover Zeus in an attempt to improve communication capabilities with the C&C by having a fallback in the form of a DGA. Initially, only a handful of financial institutions were targeted. However, as of this week's report, the attack has broadened to include a larger number of banks globally -- including the United States and Canada."

• Apple Inc. had another rough week when the company pushed out a seriously troubled iOS 8.0.1 update, leaving users around the world without cell service or Touch ID functionality on their iPhones -- users were unable to unlock, make calls or send texts with their phones. Apple followed the snafu with an iOS 8.0.2 update to fix an estimated 40,000 iPhones a day later. Apple stock slipped with news of the disastrous update. Australian users are reportedly still affected.

This post has been updated to include comment from TripAdvisor which clarifies the isolation of the breach to its subsidary, Viator. We appreciate TripAdvidor's comments.