Yahoo said the servers, used to provide live sports updates and news feeds to users, had not been affected by the recently-discovered ‘Shellshock bug’, which is a flaw found in many widely-used versions of the Unix operating system.
Yahoo said it was alerted to the breach by security experts seeking out computers vulnerable to the recently discovered Shellshock bug.
Yahoo’s chief information security officer Alex Stamos said on 7 October: “Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.”
Stamos said Yahoo took action to “isolate the servers at risk and protect our users' data”. The affected servers do not store user data, Stamos said. “At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our code scanners to catch future issues.”
Stamos said the event “caused some confusion in our team” because the servers in question had been successfully patched twice after the Shellshock issue, also known as the ‘Bash bug’, became public.
Stamos said: “Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause (which was) not Shellshock. Let this be a lesson to defenders and attackers alike. Just because exploit code works doesn’t mean it triggered the bug you expected.”
According to the technology publication CNET, Shellshock “is a decades-old security hole discovered on 24 September that opens the vast majority of computers that run Linux and Unix, including Apple's Mac OS X, to hackers”.
CNET said: “Hackers can easily exploit the flaw to run potentially harmful code inside a bash shell, a simple interface commonly used to tell the computer what to do. Potentially, the Shellshock bug could be used to access sensitive information or gain control of the computer.”
The US Computer Emergency Readiness Team (US-CERT) said last month that organisations should look to their technology providers for a security update to address the Shellshock problem, amidst concern than an initial 'patch' that had been issued did not fully fix the hole in security that had been identified.