A new nearly universal threat has been found. The Shellshock bug, which makes the Heartbleed bug look like a hoser.


Governments and companies around the world have been scrambling to shore up their cyber defences in the past 48 hours after the discovery of a fundamental flaw – dubbed Shellshock – in software used in everything from the servers that form the backbone of the internet to iPhones.

The vulnerability is being described as one of the most acute and pervasive online security loopholes ever identified and far more severe than the “Heartbleed” bug that panicked cyber security professionals in April after leaving thousands of businesses and millions of consumers open to attack worldwide.

In an alert sent to UK organisations on Wednesday, Britain’s cyber security agency GCHQ warned that critical national infrastructure was impacted by the bug.

“It should be assumed that most server-based architectures are affected,” the agency’s computer emergency response team added.
The flaw exists in software known as Bash, short for Bourne Again Shell, which is common to many Unix and Linux systems and their derivatives.

Because of its perceived security, Unix and Linux software is used in many of the most sensitive computer systems worldwide, including much of the “plumbing” for the internet itself. Apple’s operating system also uses it, meaning any Apple device is vulnerable to exploitation as a result.
Emphasis mine.

Nothing like putting all your eggs in one basket...

Shellshock Bug Threatens The Internet's Backbone. (http://www.ft.com/intl/cms/s/0/2f7d00d0-44a8-11e4-ab0c-00144feabdc0.html#axzz3EaPbQL2N)

Not quite as dramatic as that. While the affected bit of software is on every bit of Linux and most contemporary UNIX systems, the exploitation of the bug requires very specific conditions that are unlikely under good software engineering practice. (That last phrase, of course, is killer).

At MPOW I was able to apply the working update to bash to all my systems in minutes. While we had many systems to update, we didn't have the conditions that made the bug easily exploitable.

tl;dr: this is something to be concerned about, but it's not the end of the world ...

I noticed that all of my Ubuntu installations had updates for the Bourne-again shell (BASH) earlier this week, before the headlines for this thing appeared. First time that I've noticed updates to the shell. It seems most Linux operating systems have addressed the 'bug':


Numerous Linux variants have already pushed out patches that plug Shellshock, including Red Hat, Fedora, CentOS, Ubuntu, and Debian, and big Internet services like Akamai are already on the case.
http://www.pcworld.com/article/2687857/bigger-than-heartbleed-shellshock-flaw-leaves-os-x-linux-more-open-to-attack.html

I'd wager most of the Linux users here are running the highlighted distro's.

I'm thinking the risks are minimal for anyone running Linux or OS X on their home machines. Many Linux users run an alternate to BASH anyhow, and most of those aren't vulnerable.

Older embedded devices and some routers may be the most vulnerable. On PC's, a properly configured firewall should eliminate the risk. Ubuntu (Xubuntu, Kubuntu, etc.), Debian and Mint users should already have "gufw" installed (you do, right?), configured, and turned on.

Interesting that this shows up on the heels of the Windows 9 rollout... :lol:

We're on the same page, Henry! I found this article most informative, but it will only make sense to those who are familiar with with shell scripts.

http://unix.stackexchange.com/questions/157329/what-does-env-x-command-bash-do-and-why-is-it-insecure


Not quite as dramatic as that. While the affected bit of software is on every bit of Linux and most contemporary UNIX systems, the exploitation of the bug requires very specific conditions that are unlikely under good software engineering practice. (That last phrase, of course, is killer).

At MPOW I was able to apply the working update to bash to all my systems in minutes. While we had many systems to update, we didn't have the conditions that made the bug easily exploitable.

tl;dr: this is something to be concerned about, but it's not the end of the world ...

Not quite as dramatic as that. While the affected bit of software is on every bit of Linux and most contemporary UNIX systems, the exploitation of the bug requires very specific conditions that are unlikely under good software engineering practice. (That last phrase, of course, is killer).

At MPOW I was able to apply the working update to bash to all my systems in minutes. While we had many systems to update, we didn't have the conditions that made the bug easily exploitable.

tl;dr: this is something to be concerned about, but it's not the end of the world ...

This right here. Bash had already been updated on all my systems by software contributors before the news of this ever broke to mainstream, not that they really had anything to exploit. The only two processes on my servers at work that use bash through a web interface is a data collection engine used to log activity by collection agents so we can aggregate that data with phone logs and know who's actually working and who is f*cking off all day. All my other bash processes are triggered by cron jobs.

This is very similar to the mySQL injection bug from a few years back that everyone had a meltdown about. As long as you're not allowing a POST return value on a form or GET data in a URL to actually write parts of what is tossed to bash, you've got nothing to worry about, even with an unpatched bash shell. Only an inexperienced or idiotic/lazy programmer would do something like that.

Apple says a Bash patch is forthcoming, although I just checked and they haven't released it yet. I'm not too concerned, though; as far as I can tell, there's really no danger for the average OS X user unless he/she is running a web server.

It's hardly threatening anything at this point. I'd hazard 99% of all impacted people have this updated already, and did so the same day. We upgraded about 6000 servers in 24 hours.

Secondly, this bug is mitigated by a few things:
* It's only impacting if you have exposed SSH
OR
* Exposed Apache/Lighttpd/Nginx AND you are running your modules as CGI, rather than mod_x (Which most people run mod_php, mod_perl, etc etc due to performance increases rather than as a fast-cgi).

Secondly, it also requires that the web server/ssh server executes as a privileged user. Which any sane sysadmin does not do (Web servers generally run as www-user, a non-priv user account).

Well it's good to hear that things are not so doomsday looking. I figured they had the patches already out before breaking the news. I wonder if they have something added to trace someone trying to use this exploit in the patches? :chin:

Well it's good to hear that things are not so doomsday looking. I figured they had the patches already out before breaking the news. I wonder if they have something added to trace someone trying to use this exploit in the patches? :chin:


No, the fix just removes the feature from the shell.

All updated and fixed here. I keep the systems here updated for bug fixes and changes on a daily basis. Might still have the vulnerability on one or two my older systems but I am not using them in a way that would risk compromising the exploit. I am going to update those manually.

Apple says a Bash patch is forthcoming, although I just checked and they haven't released it yet. I'm not too concerned, though; as far as I can tell, there's really no danger for the average OS X user unless he/she is running a web server.

it's out now--just installed it.

get it here:

OS X bash Update 1.0 - OS X Lion
http://support.apple.com/kb/DL1767

OS X bash Update 1.0 – OS X Mountain Lion
http://support.apple.com/kb/DL1768

OS X bash Update 1.0 – OS X Mavericks
http://support.apple.com/kb/DL1769

They didn't release a version for OS X Snow Leopard, alas, which is the newest version my ancient hardware will run. Not that it really matters for me; my computer is not exposed to the open Internet. My router sure takes a pounding, though; I'm glad it's not vulnerable to this attack.

I use the seashell.

I use the seashell.

13135

13135

Just find the nearest Verbal Morality Statute machine and cuss it out. Make sure you have some credits in your account though.

Just find the nearest Verbal Morality Statute machine and cuss it out. Make sure you have some credits in your account though.

No shit.

DING DING DING DING

Well fuck.

DING DING DING DING