New Bug dubbed Shellshock

Oblivion

This looks pretty nasty ... http://www.bbc.co.uk/news/technology-29361794


A "deadly serious" bug potentially affecting hundreds of millions of computers, servers and devices has been discovered.

The flaw has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple's Mac operating system.

The bug, dubbed Shellshock, can be used to remotely take control of almost any system using Bash, researchers said.

Experts said it was more serious than the Heartbleed bug discovered in April.

"Whereas something like Heartbleed was all about sniffing what was going on, this was about giving you direct access to the system," Prof Alan Woodward, a security researcher from the University of Surrey, told the BBC.

"The door's wide open."

Some 500,000 machines worldwide were thought to have been vulnerable to Heartbleed. But early estimates, which experts said were conservative, suggest that Shellshock could hit at least 500 million machines.

The problem is particularly serious given that many web servers are run using the Apache system, software which includes the Bash component.
Patch immediately
Bash - which stands for Bourne-Again SHell - is a command prompt on many Unix computers. Unix is an operating system on which many others are built, such as Linux and Mac OS.

The US Computer Emergency Readiness Team (US-Cert) issued a warning about the bug, urging system administrators to apply patches.

However, other security researchers warned that the patches were "incomplete" and would not fully secure systems.

Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug.

Cybersecurity specialists Rapid7 rated the Bash bug as 10 out of 10 for severity, but "low" on complexity - a relatively easy vulnerability for hackers to capitalise on.

"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," said Tod Beardsley, a Rapid7 engineer.

"Anybody with systems using Bash needs to deploy the patch immediately."

For general home users, Prof Woodward suggested simply keeping an eye on manufacturer websites for updates - particularly for hardware such as broadband routers.

System

That can't be right. According to the Mac aficionados Macs can't get viruses.

Oblivion

!!!!!! wrote: »

That can't be right. According to the Mac aficionados Macs can't get viruses.

Yeah, I thought Linux was supposed to be bullet proof too. :rotfl:

jaydeeuk1

So after about 30s reading, this affects all linux based web servers where apache is installed, but could also affect routers too - those with builtin web servers? Home devices should just be able to turn this service off (thomson are off by default) and I don't have portforwarding to nas hosts or anything.

I have a load of linux based xenservers running with windows based clients, and router although old, doesn't support web hosting so I'm hoping that means everything is ok.

RobTang

jaydeeuk1 wrote: »

So after about 30s reading, this affects all linux based web servers where apache is installed, but could also affect routers too - those with builtin web servers? Home devices should just be able to turn this service off (thomson are off by default) and I don't have portforwarding to nas hosts or anything.

I have a load of linux based xenservers running with windows based clients, and router although old, doesn't support web hosting so I'm hoping that means everything is ok.

The most obvious surface is apache+cgi, however the actual vulnerability is anything that can call bash and set an environmental variable.
So while the likely hood is pretty low for other scenarios, the actual potential attack surface is massive, which is why its considered deadly serious.

John_Gray

We are all doomed!

spongebobbrownpants

It's not a virus it's a fault in the software that can allow remote exploits (that's not to say that it won't be used as a means of infecting machines with a virus)

Last one out switch off the lights

System

We need to call on Florence Nightingale - the Lady with the L.A.M.P.







I'll get me coat

onomatopoeia99

RobTang wrote: »

The most obvious surface is apache+cgi, however the actual vulnerability is anything that can call bash and set an environmental variable.

There generally isn't much else exposed that can be made to invoke bash. sshd I suppose, but you need a login for that.

Spent today patching various servers. Expect to do the same tomorrow when patch level 26 comes along. I do dislike changing the shell on a server in a datacentre on a different continent where there is no physical access. The consequences of it going wrong (me doing it wrong, I mean!) make it a fraught experience, for me at least.

zarf2007

!!!!!! wrote: »

That can't be right. According to the Mac aficionados Macs can't get viruses.

Nothing is 100% secure, but compared to that pile of crap windows Linux/Unix & osx are 10000 times more secure so
Please come back when you want to use a real OS.

System

zarf2007 wrote: »

Nothing is 100% secure, but compared to that pile of crap windows Linux/Unix & osx are 10000 times more secure so
Please come back when you want to use a real OS.

Oooh. My comment ruffled a few feathers there.