Welcome Guest! To enable all features please Login or Register.



Go to last post Go to first unread
Offline News  
#1 Posted : Thursday, September 25, 2014 2:27:27 PM(UTC)

Rank: Member


Groups: Administrators, Registered
Joined: 9/23/2007(UTC)
Posts: 25,073

Was thanked: 3 time(s) in 3 post(s)

It's being called a worse threat than Heartbleed, but unlike Heartbleed, "Shellshock" can affect home users just as well as servers. The bug is tied to the Bash Unix shell, one that's pretty much de facto in Linux, and can be found in all Mac OS X releases. While you'll be in a Bash environment whenever you open up a terminal, there are many cases where Bash will run in the background as well - such as with SSH, which constantly listens for connections.

The bug was reported to Red Hat last week and published just yesterday. The report reads:

"A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue."

As Shellshock is being treated as a severe threat, Red Hat is actively working on issuing a proper patch. An initial patch has already been released, but it's being said that it's not perfect yet. For Mac OS X, users will have to wait for Apple to issue a patch; for Linux, users will have to wait for an update to become available. I wouldn't expect for that to take too long; in my distro of choice, Gentoo, patches have already been released for multiple versions of the Bash shell.

Because of the severity, anyone administrating a Linux server would be wise to continually check for updates - or, if you're well-versed enough, switch over to a different shell for the time-being. Hopefully by now, you'll see a patch and won't have to go the latter route.

While Shellshock is going to be patched up rather quickly on PCs and servers all over the world just as Heartbleed was, if there's one thing that bug has taught us - there's no doubt that there will remain many vulnerable systems in the months ahead.

Offline realneil  
#2 Posted : Thursday, September 25, 2014 8:13:49 PM(UTC)

Rank: Advanced Member


Groups: Administrators, Moderator, Registered
Joined: 4/8/2009(UTC)
Posts: 8,695
Location: Shenandoah Valley, Virginia

Thanks: 2 times

I'll bet that we don't have to wait for "Patch-Tuesday" for a fix though.

Offline 3vi1  
#3 Posted : Friday, September 26, 2014 1:08:30 PM(UTC)

Rank: Advanced Member


Groups: Moderator, Registered
Joined: 5/12/2008(UTC)
Posts: 5,078
Location: U.S.

Already fixed. :)

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.