New Bug dubbed Shellshock

spongebobbrownpants

Haven't looked at the details yet but the overview suggests that http environment variables can be used to compromise, with a large percentage of sites running apache this may suggest why it's been given a 10 score on the potential risk scale.

No point bashing windows, any system is only as good as the sys admins and configuration although Windows attracts more exploits due to it's worldwide installation instances.

Bollotom

spongebobbrownpants wrote: »

Haven't looked at the details yet but the overview suggests that http environment variables can be used to compromise, with a large percentage of sites running apache this may suggest why it's been given a 10 score on the potential risk scale.

No point bashing windows, any system is only as good as the sys admins and configuration although Windows attracts more exploits due to it's worldwide installation instances.

Couldn't resist, the component with the vulnerability in Linux is called 'Bash'. Someone'll pop up soon with a solution. Just keep an eye out for anything strange happening. :cool:

Nodding_Donkey

Lol they already have a solution. Mine was patched before the BBC reported it.

marleyboy

It was only last Year on these very forums that certain Apple users were shouting how getting a virus on their Macs is impossible and how it served all us MS users right for using such vulnerable machines.

The silence of those members is deafening right now.

zarf2007

marleyboy wrote: »

It was only last Year on these very forums that certain Apple users were shouting how getting a virus on their Macs is impossible and how it served all us MS users right for using such vulnerable machines.

The silence of those members is deafening right now.

Hardly, one of a handful of bugs that affects osx vs the many thousands that affect windows......quick let's dump osx........oh wait


The tragedy is that to most IT users the fact that Microsoft have dominated the desktop with a product that has set technological advancement back 20 years and is only now being addressed by apple really passes them by and they judge all computers they use as annoying/unstable when their really is a viable alternative if they would only open their minds and try it.

onomatopoeia99

Nodding_Donkey wrote: »

Lol they already have a solution. Mine was patched before the BBC reported it.

You know it's been updated again in the last 10 hours or so as the first patch didn't fix it fully?

Debian and ubuntu pushed new packages live just before midnight UK time. The updated source code hasn't appeared at savannah on git yet so anyone wanting to build from source will have to find the post on the oss-security mailing list that details the changes in 4.3 revision 26 (and previous versions)

Nodding_Donkey

Yep I've just seen it was patched a second time late last night

securityguy

spongebobbrownpants wrote: »

Haven't looked at the details yet but the overview suggests that http environment variables can be used to compromise, with a large percentage of sites running apache this may suggest why it's been given a 10 score on the potential risk scale.

Anyone who uses a shell to write cgi-bin scripts needs their head examining. To do it correctly such that current injection attacks don't work is extremely difficult. The particularly nasty thing about this bug is that the attacker can run code before the cgi-bin script itself starts to run (the attacker's code runs while bash is starting up). But seriously, if anyone's writing cgi-bin in shell (and particularly using bash, which is a rats' nest of code and has an attack surface the size of Africa) then they get what's coming to them. When I was running websites for a living I'd have get rid of any developer who even suggested it: it's not just the security issues, it's the maintainability and the performance as well.

Anyone clever enough to use bash to write cgi scripts is clever enough to not use bash to write cgi scripts.

There are some other possible attacks, but they're much harder to weaponise because they require closer access to the machine. DHCP clients (and things that call them, like network initialisation scripts) sometimes use environment variables to pass information into scripts to perform customisation, which is a worry if an attacker can pass arbitrary strings into a DHCP request, and there are probably people who've written active responders for packages like OSSEC, syslog-ng and so on who have used bash, but those sort of attacks need a lot more knowledge of the target.

This is mostly a problem for server-side admins, and provided people have decent firewalling (so attackers can't inject random protocols), decent privilege separation (so you can't instantly leverage "can run a command inside Apache" into "can run a command as root") and a bare minimum of patch-management and configuration control, I'm struggling to see the major threat.

Yeah, I updated all my Linux machines yesterday, and in a fit of enthusiasm I compiled a patched version of bash for my OSX machines. But I haven't as yet been able to patch my Solaris machines and I can't say I'm losing any sleep over it.

badger09

Can someone please post, preferably in non technical words of no more than 2 syllables whether the average home PC or smartphone user should be concerned about this threat.

If so, what, if anything can said average user do about it

Thanks

firefox1956

No sorry I can't, that would be far too simple.......
:rotfl::rotfl: