It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
A "deadly serious" bug potentially affecting hundreds of millions of computers, servers and devices has been discovered.
"Whereas something like Heartbleed was all about sniffing what was going on, this was about giving you direct access to the system," Prof Alan Woodward, a security researcher from the University of Surrey, told the BBC.
Some 500,000 machines worldwide were thought to have been vulnerable to Heartbleed. But early estimates, which experts said were conservative, suggest that Shellshock could hit at least 500 million machines.
The problem is particularly serious given that many web servers are run using the Apache system, software which includes the Bash component.
The US Computer Emergency Readiness Team (US-Cert) issued a warning about the bug, urging system administrators to apply patches.
However, other security researchers warned that the patches were "incomplete" and would not fully secure systems.
In 1987, Mr. Fox, then a young programmer, wrote Bash, short for Bourne-Again Shell, a free piece of software that is now built into more than 70 percent of the machines that connect to the Internet. That includes servers, computers, routers, some mobile phones and even everyday items like refrigerators and cameras.
On Thursday, security experts warned that Bash contained a particularly alarming software bug that could be used to take control of hundreds of millions of machines around the world, potentially including Macintosh computers and smartphones that use the Android operating system
originally posted by: BornAgainAlien
No wonder they have called it "Shellshock."
Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer.
The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.
The exploit appears to be a local root, not a remote root, so you need access to the machine to use the exploit…
originally posted by: funkadeliaaaa
a reply to: BornAgainAlien
The Bourne-Again Shell? Isnt Bourne the name of that secret agent in those films Bourne Identity, Bourne Again, Bourne Supremacy etc thats a lot of films and this bug was "just discovered" lol
Developed by Stephen Bourne at Bell Labs, it was a replacement for the Thompson shell, whose executable file had the same name—sh.
It was released in 1977 in the Version 7 Unix release
originally posted by: AnonyMason
How to check if you are vulnerable to shell shock.
To determine if a Linux or Unix system is vulnerable, run the following command lines in your linux shell:
env X="() [ :;] ; echo shellshock" /bin/sh -c "echo completed"
env X="() [ :;] ; echo shellshock" `which bash` -c "echo completed"
If you see the word shellshock in the output, your bash shell is vulnerable. The bug is primarily effecting Linux and Unix system bash shells versions 1.14 through 4.3 of GNU.
Patches are available for Redhat, Ubuntu, CentOS, and Debian. Mac is reporting that most users will not be vulnerable but are expected to have an update any way, soon, posibly today. For the linux distros apply updates with you package manager usig: sudo ap-get update, then sudo apt-get upgrade OR su -c 'yum update'.
Stay safe! NIST vuln database has ranked this a 10/10 severity rating so be sure to apply the patch!
originally posted by: Yeahkeepwatchingme
I don't understand the science behind it, but these bugs prove how delicate computers are. We have many working on the problems and finding holes in security systems to prevent major incidents from occurring but we're so attached to our networks. I can't imagine the world without computers and the thought of the system being crippled just enough to damage many areas is unsettling. S + F.