from the /cgi-sys/defaultwebpage.cgi dept.
Security researcher Jonathan Hall announced on his web site (google cache) that the WinZip.com site and some of the Yahoo's servers were breached by Romanian hackers, because they didn't patch against Shellshock. The discovery comes with a long story documenting the discovery process.
The hackers were working in breaking into Yahoo Games servers and managed to completely root the dip4.gq1.yahoo.com and api118.sports.gq1.yahoo.com servers. Hall emailed and tweeted Marissa Mayer and a member of Yahoo’s engineering team. He received a response from Yahoo that confirmed its servers had been breached and that it was working through its incident response process - since then, Yahoo confirmed the breach. He also notified the FBI
Some news sites also report that the acknowledgement from Yahoo hasn't come until the FBI and other news outlets were also notified and that Hall's report may not qualify for Yahoo's bug bounty.
(Score: 1) by wirelessduck on Tuesday October 07 2014, @02:36AM
Yahoo's CISO claims they were not vulnerable to shellshock [ycombinator.com].
(Score: 3, Funny) by dyingtolive on Tuesday October 07 2014, @03:19AM
WinZip is still a thing.
Don't blame me, I voted for moose wang!
(Score: 0) by Anonymous Coward on Tuesday October 07 2014, @07:55AM
Most windows users that I know use winzip as their primary compression and tar utility (which was the way it was 15 years ago last time I used windows seriously).
(Score: 2) by cykros on Wednesday October 08 2014, @09:17PM
Considering that Windows has had built in handling of .zip files in Explorer, I somewhat doubt this.
And with better functionality and range of supported filetypes from 7zip and WinRAR, well, I'd have to say I'd be downright shocked if it's anything like "most" Windows users. Yea, there are those set in their ways that'll use it as long as they can, but the point at which the average Windows user used to install Winzip was then they got a .zip file they needed to open, and couldn't otherwise do so. That hasn't been a situation on Windows since Windows XP came out.
That they're still asking for money for Winzip seems to suggest that they've no real interest in keeping up with the times at all (as when it came out, it wasn't all that odd to see someone asking for money for a zip utility...it's downright asinine in this day in age). They're just leaving up what they had, at the price they've sold it, because the trickle of loyal users they have still covers their hosting costs. For that matter, you can still buy Barren Realms Elite, the DOS BBS Door game from the 80s, for the same price as ever. It's essentially abandonware that the owner forgot to abandon, for lack of having moved onto anything more recent. Or in BRE's case, it got sold to a company that eschews innovation and was simply interested in squeezing a few extra bucks from people looking for it out of a sense of nostalgia.
On the other hand, if mIRC's continuing prevalence is anything to go by (with the lack of builtin SSL support, among other massive drawbacks to it as an IRC client), it's that I really shouldn't underestimate how much people will use obsolete overpriced software for as long as they're allowed to. The sad apparent fact of the matter is that learning technology seems to live in whatever part of the human brain that is analogous to ROM...once you've written how a task is performed, it's not exactly easy to overwrite the instructions, regardless of benefits involved. And with Winzip, if it's already paid for, while it's unnecessary, there's only so many features you can really add on for zip file support, so familiarity wins out in the case of some people. I suppose it's not really fair to judge, as long as it doesn't cause any problems, as the UI mostly amounts to a matter of taste, and functionally Winzip still works. If there's anything Internet Explorer is good for, it's reminding us that one can usually make worse decisions than eschewing features of Windows that are built in in favor of third party tools.
(Score: 1) by zenlessyank on Tuesday October 07 2014, @08:01AM
When using a time machine to 1995, then, yes, it is a thing. The rest of us use 7zip because we are cheep bastages. Well, cept those few who are heavy WinRAR users and keep that one around. Also note that a client I still see twice a year still subscribes(pays) to AOL and he has U-Verse with a VCR!!!
But to a select few of us who have a hybrid of adamantium and dropped forged steel for skull caps, then we might tend to keep an application around if it still does the job and it's paid for. ;) ***http://www.winzip.com/win/en/index.htm
(Score: 0) by Anonymous Coward on Tuesday October 07 2014, @10:45AM
Yep, I just removed it with my shareware copy of Quarterdeck Cleansweep [wikipedia.org].
Now excuse me, I will be running defrag on my C: during the next 30 hours.
(Score: 2) by Konomi on Tuesday October 07 2014, @09:44AM
WinZip Breached via Shellshock
And nothing of value was lost...
(Score: 2) by darkfeline on Tuesday October 07 2014, @07:11PM
Considering Shellshock doesn't do privilege escalation, I'm curious as to what other exploits were used to complete the root. Please don't tell me they were running their apache-equivalent as root.
Join the SDF Public Access UNIX System today!
(Score: 2) by cykros on Wednesday October 08 2014, @09:21PM
It's Winzip. It hasn't exactly changed much in years, and I doubt people are putting a ton of effort into the website either. I'm only half joking when I say that it almost wouldn't surprise me if the httpd they're using REQUIRES that it be run as root.