Shellshock: 'Deadly serious' new vulnerability found

A "deadly serious" bug potentially affecting hundreds of millions of computers, servers and devices has been discovered.

"Whereas something like Heartbleed was all about sniffing what was going on, this was about giving you direct access to the system," Prof Alan Woodward, a security researcher from the University of Surrey, told the BBC.

Some 500,000 machines worldwide were thought to have been vulnerable to Heartbleed. But early estimates, which experts said were conservative, suggest that Shellshock could hit at least 500 million machines.

The problem is particularly serious given that many web servers are run using the Apache system, software which includes the Bash component.

Shellshock: 'Deadly serious' new vulnerability found

This might be bad if they start to use in a grand scale.

Servers can go down everywhere and patches aren`t sufficient, and on top of that it`s easy to exploit.

No wonder they have called it "Shellshock."

Wow bummer. Quick! chshell!

I don't understand the science behind it, but these bugs prove how delicate computers are. We have many working on the problems and finding holes in security systems to prevent major incidents from occurring but we're so attached to our networks. I can't imagine the world without computers and the thought of the system being crippled just enough to damage many areas is unsettling. S + F.

The Bug HAS been patched in Bash 3.0 and 4.3. Goto your shell and type bash --version and you'll see what version you are running.

Then, simply apply the updates for your particular distribution. All the major ones have been updated. If you're running a version earlier than 3.0, it's probably a good idea to switch to a newer version of your distribution.

Let's see, the Bug was discovered on the 24th, and hmm, it's the 25th and it's already been fixed. Not much to worry about, just do your updates.

a reply to: Druid42

Have you actual read the article ?

The US Computer Emergency Readiness Team (US-Cert) issued a warning about the bug, urging system administrators to apply patches.

However, other security researchers warned that the patches were "incomplete" and would not fully secure systems.

a reply to: Druid42

Except for the fact that the acticle states.....

"However, other security researchers warned that the patches were "incomplete" and would not fully secure systems.

Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug."

Looks like so professionals are not as sure as you....

a reply to: Druid42

I have verified that the problem exists on MacOS 10.7.5 and Apple has not released a patch to Bash. My Macbook Pro running the 10.10 beta has also not been patched. So every Mac out there is vulnerable.

I'm not sure what this means to folks like me, but it seems it could be a huge problem....were talking computers....servers...phones....and refrigerators:
www.nytimes.com...

In 1987, Mr. Fox, then a young programmer, wrote Bash, short for Bourne-Again Shell, a free piece of software that is now built into more than 70 percent of the machines that connect to the Internet. That includes servers, computers, routers, some mobile phones and even everyday items like refrigerators and cameras.

On Thursday, security experts warned that Bash contained a particularly alarming software bug that could be used to take control of hundreds of millions of machines around the world, potentially including Macintosh computers and smartphones that use the Android operating system

S&F

Really a crappy time to be reading "Nowhere To Hide" by Glenn Greenwald...

Our oldest son keeps griping at me about all the systems I accumulated over the years and the storage space they take up, but I'm seriously thinking about setting a couple of them up. As former customers, friends and family moved up, I "inherited" perfectly good Windows 95 and Windows 98SE systems and all the software to go with them. You don't need the 'Net to use a scanner, work with PaintShop Pro or do labels (among other things).

Hope this is taken care of quickly. A reminder to all... If you have the resources, the magic word is BACKUP.

a reply to: BornAgainAlien
The Bourne-Again Shell? Isnt Bourne the name of that secret agent in those films Bourne Identity, Bourne Again, Bourne Supremacy etc thats a lot of films and this bug was "just discovered" lol

originally posted by: BornAgainAlien
No wonder they have called it "Shellshock."

As for this, a tortoise leaving it's shell after nearly 30 years, that would be shell shock lol, probably similar to how a Hermit Crab feels when it abandons its Shell ... All you would have left would be a Ghost in the Shell.lol

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer.

The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.

a reply to: BornAgainAlien

As expected from the BBC, the article is not detailed to a granular tech level of the exploit.

The exploit appears to be a local root, not a remote root, so you need access to the machine to use the exploit... Which could really help some people who hack a non-root shell.

If this were a remote exploit, similar to Heartbleed, that could be extremely bad since many, many, many many machines use bash on top of sh.

a reply to: Philippines

The exploit appears to be a local root, not a remote root, so you need access to the machine to use the exploit…

Which can easily be done through malware. I don't know about Linux, but many MacOS users are logged in as root without even knowing it, so any process that they run would have that local authorization. A lot of the really dangerous stuff is protected by having to be run under sudo, but a lot is not… I could write a Bash script to wipe your drive or put your "Documents" folder into a password encrypted archive, and you'd be none the wiser until you checked it.

It can be done by accessing a cgi script on the web server using a browser. The data is passed in the user agent string during a call to the server.

"Found"?

Its been known about in security circles for a long while. Its one of the reasons Ubuntu deprecated bash in favour of dash. Its only just becoming "public".

No evidence for this following statement, just a gut feeling. I suspect its been kept quiet for so long, because its probably one of the principle vectors used by various security services, for infiltrating Linux systems.

originally posted by: funkadeliaaaa
a reply to: BornAgainAlien
The Bourne-Again Shell? Isnt Bourne the name of that secret agent in those films Bourne Identity, Bourne Again, Bourne Supremacy etc thats a lot of films and this bug was "just discovered" lol

Developed by Stephen Bourne at Bell Labs, it was a replacement for the Thompson shell, whose executable file had the same name—sh.

It was released in 1977 in the Version 7 Unix release

www.abovetopsecret.com...

originally posted by: AnonyMason
How to check if you are vulnerable to shell shock.

To determine if a Linux or Unix system is vulnerable, run the following command lines in your linux shell:

env X="() [ :;] ; echo shellshock" /bin/sh -c "echo completed"
env X="() [ :;] ; echo shellshock" `which bash` -c "echo completed"

If you see the word shellshock in the output, your bash shell is vulnerable. The bug is primarily effecting Linux and Unix system bash shells versions 1.14 through 4.3 of GNU.

Patches are available for Redhat, Ubuntu, CentOS, and Debian. Mac is reporting that most users will not be vulnerable but are expected to have an update any way, soon, posibly today. For the linux distros apply updates with you package manager usig: sudo ap-get update, then sudo apt-get upgrade OR su -c 'yum update'.

Stay safe! NIST vuln database has ranked this a 10/10 severity rating so be sure to apply the patch!

originally posted by: Yeahkeepwatchingme
I don't understand the science behind it, but these bugs prove how delicate computers are. We have many working on the problems and finding holes in security systems to prevent major incidents from occurring but we're so attached to our networks. I can't imagine the world without computers and the thought of the system being crippled just enough to damage many areas is unsettling. S + F.

Everything is delicate, even our own life. Disaster is just around the corner. It's just sometimes we don't realize it until it's too late.

Our bodies are not perfect either. Tehy're a work in rpogress. This whole world is a work in progress. Danger is everywhere. The purpose I presume is to survive long enough to reproduce and tell your tale.

Apple has released a patch (new version of Bash, I suppose) that you can download here:
support.apple.com...

For some reason, they are not releasing this as a software update, so the only way that you can get it, as of now, is by going to the support website, downloading the appropriate patch for your OS (10.7.5 is the earliest one supported if you have a 10.6.x machine, I guess you're out of luck) and installing the package.

ETA: I tested it on my 10.7.5 machine and the patch fixes it.