
Ask HN: Could we use Shellshock to patch vulnerable systems? - mperd
Since we know that it took weeks before most servers were fixed from the Heartbleed vulnerability, couldn&#x27;t we use Shellshock to make a worm that would upgrade bash wherever it can? Are there legal issues about fixing a vulnerability in a system that doesn&#x27;t belongs to you?<p>[edit] Ok, I guess the part about the legal issues was a bit candid. What I am really saying is wouldn&#x27;t it be a good thing to have a worm closing vulnerabilities, compared to the thousands of hackers exploiting this vulnerability to steal or spy?
======
johngalt
It would be treated the same as exploiting a system for any other reason.

Friendly worms have been done before (welchia). The problems with friendly
worms are numerous. It is more than just a legal issue. A malicious worm is
looking to propagate quietly and perhaps leave some sort of backdoor control
channel. A friendly worm has to propagate (faster than malicious worms), and
patch (without DDoSing patching infrastructure), and self terminate (which
harms it's ability to propagate). It's hard to imagine a real world scenario
where a friendly worm would be effective. It would either take too long to
develop, or it would do just as much damage as a regular worm.

~~~
mperd
Thanks, I did not know about that kind of worms or about the Welchia worm.

------
feth
In France, you deserve 3 years in jail and a fine of 45000€ for this.

[http://www.legifrance.gouv.fr/affichCodeArticle.do?idArticle...](http://www.legifrance.gouv.fr/affichCodeArticle.do?idArticle=LEGIARTI000006418316&cidTexte=LEGITEXT000006070719)

------
thrillgore
Since this is a RCE bug, sure, you can fix it. But its not your place to fix a
vulnerability. It's on the vendor to provide the patch.

I will point out like its been pointed out in another comment this probably
breaks the law somewhere.

------
krapp
>Are there legal issues about fixing a vulnerability in a system that doesn't
belongs to you?

Yes. Because it doesn't belong to you. Therefore you have no right to 'fix'
it.

------
therealidiot
I'm pretty sure in many places this would be illegal

Definitely in the UK

------
JensRantil
It's a good idea, but I would expext most applications vulnerable to not run
as root. You would need to be root to patch the bash executable.

~~~
mperd
Good point. So I guess one would have to combine that with another
vulnerability to be able to get root privileges.

We could also imagine a worm contacting the owner of the server and asking her
to fix it.

------
Spoom
If you attempted to do this, you would likely end up in jail for a very long
time under the CFAA. Fair warning.

