New Bug dubbed Shellshock

forgotmyname

Do you run a Unix system? Linux/Apple etc etc?

If not no worry. (well about this threat anyway). I wont mention the thousands of other threats.

The average user can make sure they have a decent antivirus and firewall and run regular updates.

badger09

firefox1956 wrote: »

No sorry I can't, that would be far too simple.......
:rotfl::rotfl:

Thought so

forgotmyname wrote: »

Do you run a Unix system? Linux/Apple etc etc?

If not no worry. (well about this threat anyway). I wont mention the thousands of other threats.

The average user can make sure they have a decent antivirus and firewall and run regular updates.

Thanks. I don't.

But I was curious as to why on Friday the Independent should say

Q. What can I do to protect against it?

A. Experts recommend not using credit cards or disclosing personal information online for the next few days. Usual precautions are also recommended such as updating anti-virus software and not visiting dodgy websites.

tronator

badger09 wrote: »

But I was curious as to why on Friday the Independent should say

Q. What can I do to protect against it?

A. Experts recommend not using credit cards or disclosing personal information online for the next few days. Usual precautions are also recommended such as updating anti-virus software and not visiting dodgy websites.

Not because your PC is vulnerable, rather the webserver you're visiting.

To answer your first post, your PC is most likely not at risk unless you run a *nix OS with bash installed and have services exposed to the Internet by port forwarding or setting up a DMZ.

Edit: I forgot to mention that your router might be at risk if it is accessable from the Internet and runs bash. So look out for firmware upgrades on the manufacturer's web site.

badger09

tronator wrote: »

Not because your PC is vulnerable, rather the webserver you're visiting.

To answer your first post, your PC is most likely not at risk unless you run a *nix OS with bash installed and have services exposed to the Internet by port forwarding or setting up a DMZ.

Edit: I forgot to mention that your router might be at risk if it is accessable from the Internet and runs bash. So look out for firmware upgrades on the manufacturer's web site.

Oh dear. More than 2 syllables so I'm struggling. I sort of assumed all routers were accessible from the Internet

I'll check manufacturer's website for updates.

spud17

badger09 wrote: »

I sort of assumed all routers were accessible from the Internet

But not the underlying operating system which manages the router.

Keeping it simple.

It is possible to have remote control of the routers operating system from the internet side, but this is not normally enabled by default.

securityguy

tronator wrote: »

Edit: I forgot to mention that your router might be at risk if it is accessable from the Internet and runs bash. So look out for firmware upgrades on the manufacturer's web site.

It doesn't. Or at least, it's very unlikely.

The almost universal way in which a command line and command line tools are provided for low-end routers is using BusyBox, which incorporates ash, rather than bash. If the attacker has access to the command line, then this bug is of no benefit: they already have access to the command line.

This bug's main benefit to an attacker is that if there is a web server which uses bash to implement some pages, then the attacker can use this bug to run arbitrary commands. You might use bash to implement a web page if (a) you had it lying around and (b) you were on a platform fast enough that the massive start-up cost of bash wasn't a problem to have happening on every page. Neither's true for low-end routers.