CL Simplex

Ethics: Use of Software Vulnerabilities

Ethics: Use of Software Vulnerabilities

As software becomes increasingly complex, the attack surface upon which intruders may breach software systems grows. Software projects with a significant user base face an ever-growing security concern. As bugs/exploits are reported it is not as straightforward as simply fixing your code. Code is out in the wild. Potentially millions of systems can remain unrepaired as people do not update, or do not know about your latest security patches. What can you do?

Shellshock: A Bash Exploit

In 2014, a program called BASH was found to contain a vulnerability which essentially allowed unauthorized users to run remote computers. BASH is a free program used by millions of computer around the world. Very quickly after the update was released, attackers used the disclosure to attack unpatched computers. In a recent trend of giving security issues flashy names, this was called “Shellshock.” System administrators can immunize their systems by updating BASH to the most recent version.

Ethical Hacking?

The meat of the issue comes down to the following question, ‘what if I use the Shellshock vulnerability to get the system to fix itself?’ You would “hack” the system and tell the system to perform an update. However, you have accessed a computer system without authorization or permission. This actually happened as whitehat hackers wrote scripts to scan for computers to breach, then repair.

Our Take

In this particular case, we believe it to be ethical to use a known vulnerability to get systems to update. This is analogous to creating Herd Immunity. Attacked systems are often recruited to continue attacks against other machines. The biggest issue facing this kind of ethical hacking is the legal system. Courts of almost any nation have been quite stern on what can even be loosely construed as an unauthorized access of a system - even if there is clearly no intention to attack or harm the system in question. Considering an often hamfisted legal response, this question will remain purely academic - at least in our books.


Tap or click on these posts to navigate to the next or previous posts.

Post Series

This post is part of a larger series. Tap or click on a post to view more in this series.