Ask HN: Could we use Shellshock to patch vulnerable systems?
Since we know that it took weeks before most servers were fixed from the Heartbleed vulnerability, couldn't we use Shellshock to make a worm that would upgrade bash wherever it can? Are there legal issues about fixing a vulnerability in a system that doesn't belongs to you?
[edit] Ok, I guess the part about the legal issues was a bit candid. What I am really saying is wouldn't it be a good thing to have a worm closing vulnerabilities, compared to the thousands of hackers exploiting this vulnerability to steal or spy?
10 comments
[ 3.0 ms ] story [ 40.0 ms ] threadDefinitely in the UK
http://www.legifrance.gouv.fr/affichCodeArticle.do?idArticle...
We could also imagine a worm contacting the owner of the server and asking her to fix it.
Yes. Because it doesn't belong to you. Therefore you have no right to 'fix' it.
Friendly worms have been done before (welchia). The problems with friendly worms are numerous. It is more than just a legal issue. A malicious worm is looking to propagate quietly and perhaps leave some sort of backdoor control channel. A friendly worm has to propagate (faster than malicious worms), and patch (without DDoSing patching infrastructure), and self terminate (which harms it's ability to propagate). It's hard to imagine a real world scenario where a friendly worm would be effective. It would either take too long to develop, or it would do just as much damage as a regular worm.
I will point out like its been pointed out in another comment this probably breaks the law somewhere.