Yahoo is admitting that it was impacted by a security issue this week, but it wasn’t the Shellshock bug that was the root cause.
Security researcher Jonathan Hall alleged that Yahoo was in fact at risk from Shellshock. The Shellshock bug, which was first reported on Sept. 24, is a flaw in the open-source Bash (Bourne Again SHell) scripting application that is widely deployed on Unix and Linux systems. Shellshock can enable an attacker to potentially execute arbitrary commands on a vulnerable server.
Yahoo’s Chief Information Security Officer (CISO) Alex Stamos took to the popular Hacker News site to explain what actually happened and why his organization was not directly exploited by the Shellshock vulnerability.
“Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers,” he wrote.
Stamos noted that the attackers had mutated their exploit in an attempt to get around Yahoo’s Web Application Firewall (WAF) filters.
“This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs,” Stamos said.
So that means Yahoo was not exploited by Shellshock itself, but rather by another bug that just happened to be on the Yahoo system. Stamos added that Yahoo has no evidence that any user data was affected, and he emphasized that only a few machines were impacted. Yahoo has already fixed the issue and has put protections in place to limit any repeat incidents.
“Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!” Stamos wrote.
Stamos is, of course, absolutely correct. The simple truth is that there are always bugs on any system that potentially can be exploited. The “exploit of the day”—whether it’s Shellshock, Heartbleed or otherwise—isn’t always the exploit with which an organization will be breached.
Another issue that Stamos brings up is the matter of disclosure. Yahoo’s security team and its bug bounty program that rewards security researchers were not contacted by Hall, he said.
For his part, Hall doesn’t agree with Stamos’ assessment of the situation.
“So the end result is that Stamos released a garbage explanation backed by absolutely no solid technical information solely as a means of discrediting me and further assassinating my character,” Hall wrote.
In the world of security research, it’s not uncommon for disagreements like this to occur. The right thing to do, though, is to properly disclose issues to affected vendors and give them the benefit of the doubt. Time will tell if further Shellshock-related exploits against Yahoo emerge or if Stamos is correct.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.