29 September 2014

"Shellshock" - a scary new computer bug

From the BBC:
The flaw has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple's Mac operating system. The bug, dubbed Shellshock, can be used to remotely take control of almost any system using Bash, researchers said...

"Whereas something like Heartbleed was all about sniffing what was going on, this was about giving you direct access to the system," Prof Alan Woodward, a security researcher from the University of Surrey, told the BBC.

"The door's wide open."

Some 500,000 machines worldwide were thought to have been vulnerable to Heartbleed. But early estimates, which experts said were conservative, suggest that Shellshock could hit at least 500 million machines...

"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," said Tod Beardsley, a Rapid7 engineer...

For general home users worried about security, Prof Woodward suggested simply keeping an eye on manufacturer websites for updates - particularly for hardware such as broadband routers.
More at the link. I would welcome comments from some of the informed readers of this blog.


  1. Shellshock is a vulnerability in Mac computers, Linux servers, and a lot of IT infrastructure. Windows machines are not affected. It's going to be much the same as Heartbleed - lots of scary news articles, little practical fallout for end users. System admins like me are running around with their pants on fire patching everything, but the only thing you need to do is install updates on any iOS devices you own. It's possible that hackers will use the vulnerability to steal data at some point, but there's no need to be paranoid about it. Just keep your usual precautions in place.

    1. I misspoke, it's Mac OS X that is vulnerable, not iOS. However, if you've rooted your iOS or Android phone it may be vulnerable. Since rooting (aka jailbreaking) is not supported by the vendors, you're probably SOL for patches.

  2. Preface: This bug only affects Linux/Unix systems, Mac OS systems to a very small extend and Windows systems not at all (you could probably build an insecure Windows system if you wanted, but it would take serious effort).

    This is essentially a case of passing along user-supplied data to places where it doesn't belong.

    Usually, when you let a user enter information into a database, for example, you first check it for certain characters or strings to ensure they are actually entering data and not sending commands to your database. XKCD has a humorous take on this here (http://xkcd.com/327/), where the single quote after "Robert" ends the actual database input and is followed up by a command to delete the entire table holding the student's data. You would usually sanitize such inputs before letting them run havoc on your database.

    Shellshock does not affect a database, however, but your computer directly because a) user input input is not sanitized and b) it's forwarded to your system's "shell" (hence the name), the command-line processing application present on most computer systems. This allows an attacker to execute arbitrary system commands (including downloading and executing new programs) on an affected machine under certain (a lot!) circumstances. Many programs on Linux/Unix machines work by passing information around the command line, and whenever this happens with information resulting from an outside call, an attack might take place.

    The main problem is that there is a large number of attack vectors simply because so many programs and parts of your operating system require information obtained through a network and the bug is usually triggered before these programs even get to the stage where the input is validated.

    For example, the protocol used to assign an IP address to your computer ("DHCP") which is often invoked before your computer's start up sequence has finished could be used to carry shellshock'ed instructions and, depending on your exact system, they might get executed before you could even log on properly.

    If you're running a Linux machine with bash as your default shell, you need to get this looked at (usually updating the bash package is sufficient by now). If you're running Mac OS X with a public-facing webserver you need to ensure you're not forwarding user data to any system() calls or similar and wait for a patch (or patch manually).

    1. To be noted, it's kind of the same problem as heartbleed: It's a problem with feature few people use, and is mostly completely unnecessary to have. For heartbleed, it was a heartbeat function that wasn't used much and for bash it's a possibility of exporting functions to another shell. (To quote the zsh people: why would you want that - it'd just lead to very obscure code! And you can do export/import manually with a one-liner if you need it.)

      Since no-one is using the features, it doesn't get much attention. And thus the bugs doesn't catch on until much later...

      Anyway, the good thing with heartbleed is that a lot of sysadmins now are up to speed to update their systems.

      And the whew-factor of this bug is that it just barely missed all the home routers, all the iphones and all the androids. (They use busybox and ash.)

  3. My thanks to both of you. I suspect the readers of this blog will find your comments more useful than most of the articles they will encounter about this topic.

  4. Apple has supplied a fix. http://support.apple.com/kb/DL1769 This is for Mavericks. Lion and ML are available also.

    1. Thank you, you just saved me having to look that up for an end user!

  5. Strangely, I haven't heard anything about this anywhere else. Would have expected something in my Twitter stream, at least.

    I find it highly ironic, given the long history of Unix users criticising Windows for (among other things) not being very secure.

  6. A nice explanation of ShellShock:


Related Posts Plugin for WordPress, Blogger...