http://www.cbc.ca/news/technology/shellshock-computer-bug-already-exploited-by-hackers-1.2777514
Something I found interesting about "shellshock" (though I prefer "bash bug," as there are more shells than bash, and as far as I can tell, the flaw only effects bash) is that there doesn't seem to be a patch yet, although the article does mention a fix. The problem is that there aren't enough details in the article (or in any security related article) to determine the present state of the bug. As far as I can tell, the difficulty with this bug is that there must be a software release to fix the issue, but there are so many system administrators who don't patch and update on a regular basis, leaving a plethora of systems wide open to attack. As someone who has worked with bash for a long time, I feel like the details that I've been able to find haven't really told me whether or not my own systems have been compromised. I've never used environment variables (the setting of which is exploitable) in my servers (as far as I know), so I don't think I'm vulnerable, but more details would help.
This bug was far less responsibly disclosed than Heartbleed, which had a very wise disclosure method. Actually, the original authors of the bug did a good job with things but once it leaked out into some close circles, only preliminary facts began circulating and it led to a lot of confusion. So there's quite a bit of misunderstanding about this exploit, even though it's as old as time...
ReplyDeleteInteresting that the affects of this haven't been more widely publicized. For a month it seemed like Heartbleed was on the landing page of every online news source. Obviously the number of Linux users is a small fraction of people who use SSL, but you'd think within the Linux community there would be more communication.
ReplyDelete