Skip to content

Major new security flaw found

Featured Replies

Not a difficult one to fix on servers but appliances might be pretty screwed.

I did see claims that quite a few isp provided routers are using it which is madness as bash is pretty heavy.

  • Author

Most Web servers, all Apple products, anything running Linux, and Android (only if rooted though) is a pretty big problem.

But, but,,,,,,,,,,,,,but my Mac doesn't get viruses :rofl:

What we've only got apples ! We've notice them slowing down

But, but,,,,,,,,,,,,,but my Mac doesn't get viruses :rofl:

Its not a virus, OSX is based on Unix so is just as vulnerable to hacks as any other flavour of Unix/Linux. A hack is not a virus, it just allows a way for someone to access your data and has no way of spreading.

Any webserver on the whole internet running Apache is going to be a target, especially those processing financial data. However to be PCI compliant no data should be stored on these public facing servers, and the data in the backend has to be encrypted.

What we've only got apples ! We've notice them slowing down

that's more likely due to all the sheep porn you've downloaded clogging up the hard drive ;)

Only badly written code that depends on the functionality will cause problems.

It's already patched

that's more likely due to all the sheep porn you've downloaded clogging up the hard drive ;)

Most Web servers, all Apple products, anything running Linux, and Android (only if rooted though) is a pretty big problem.

The majority of home routers based on Linux run busybox, not bash. Android has its own command-line shell which relates to bash only in that it is somewhat compatible with Bourne Shell (one must not confuse the latter with bash). Besides, bash itself is not vulnerable remotely. It is a combination of bash + a network daemon which starts bash (like sshd) which may be vulnerable. I reckon the severity of the problem is greatly exaggerated.

The majority of home routers based on Linux run busybox, not bash. Android has its own command-line shell which relates to bash only in that it is somewhat compatible with Bourne Shell (one must not confuse the latter with bash). Besides, bash itself is not vulnerable remotely. It is a combination of bash + a network daemon which starts bash (like sshd) which may be vulnerable. I reckon the severity of the problem is greatly exaggerated.

I have no idea what all that means but it sounds technical so I'll give it a like :D

  • Author

Only badly written code that depends on the functionality will cause problems.

It's already patched

Not fully though.

Gah!

 

Now weeks of trying to force supplier to update their ****e for all manner of apache web servers that don't have proper contracts and a few months of the Unix guys going "we can't fix it it'll break things".

oh well thats the internet shagged, who wants a beer?

This is an interesting comment I've read about bugs/viruses.

 

 

" Linux: We found a bug - Let's fix it now before the bug becomes public knowledge.

Windows: We found a bug - shh, if we don't tell anyone, we can use it ourselves and fix it in the service pack in two years time.

Apple/Mac: We found a bug - Let's fix it and make users pay for the fix. "

 

I can't remember where I read it, but have a feeling it comes from a Linux fan.

It is going to be an hard fix this one and it alot different to the "Heart Bleed" bug.

 

I suspect companies that have internet facing servers will now move these servers out of DMZ - Replacing them with a patched server that will "Proxy" requests.

It is going to be an hard fix this one and it alot different to the "Heart Bleed" bug.

I suspect companies that have internet facing servers will now move these servers out of DMZ - Replacing them with a patched server that will "Proxy" requests.

Out of interest how is it going to be difficult to fix? Is it not just an update to bash 4.7 which doesnt even need a server bounce.

Either that or switch to ksh. ;)

Disclaimer: although i support software on unix im no unix support expert.

The fix is 'easy'.

 

However, deploying the update is the hard part. Embedded devices which may use it are going to be very challenging, stuff like firewalls and routers as mentioned above. Plus if your software is certified against specific code versions, you can't just push the update out. Code running against legacy versions of bash may not work any more. Switching to a different shell is a straight no-no. Its far from just apt-get install bash, yum install bash or whatever your flavour is.

Out of interest how is it going to be difficult to fix? Is it not just an update to bash 4.7 which doesnt even need a server bounce.

Either that or switch to ksh. ;)

Disclaimer: although i support software on unix im no unix support expert.

 

Huskoda has answered your question for me :)

 

Great explanation

Ah yeah fair enough. Hadn't thought of change control.

I do my best to avoid change control wherever i can - test my code in production.

http://www.thinkgeek.com/product/f141/

Joking. Maybe... ;)

I should get some of those as presents for some people at work. :)

 

Incidentally, it appears we do have some knockons just from updating bash in places, so yeah.

Change Control =  :devil:

 

The company I work at EVERYTHING and I mean everything must go through Change Control & be approved before the work can go ahead. I get why it is needed but it really does take up sooooo much time.

We have change control, but we also have an emergency change process for things like this where security is at stake. Essentially it overrules the standard process, so IT can create the change and implement without going through the full process. Things get tested as usual, but the whole approval part is missed out.

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.