Category / Security
The Shellshock exploit went public yesterday with reports on most major news sources within hours of it's disclosure (which was faster than Heartbleed earlier this year). Although a patch was issued a little while after, it was later found that it wasn't enough to stop the exploit. As of a few hours ago we saw a revised patch released, which some have claimed still doesn't fix the issue at hand. With its severity as well as the limited reports of infection/scanning, one could say that we are in the calm before the storm. It is possible that mass damage has already been done, with compromised machines left dormant waiting for the right moment.
eBay popped up in the news for its reactive stance to customer security by allowing sellers to add code to their listings which could further exploit user interactions. They do provide sellers with rules warning that their accounts may be limited or suspended if they are caught, but with these sorts of attacks the damage has already been done by the time eBay finds the code. The alarming thing is that this isn't a new problem for eBay as they had the same thing happen in 1999 with the eBayla exploit. The exploit was presented to eBay, but no further action was taken to fix the problem.
Google announced yesterday that after some favourable testing, they will be adding HTTPS as a ranking signal. Initially the value of this signal will be relatively small in comparison to other signals such as "high-quality content", but this is to allow time for Webmasters to switch their current non-secure sites over. Google are undecided if they will increase the signal's value, but given that a grace period has been handed to Webmasters, the change should happen.