Bash Bug/Shellshock

[MrJim]

Anyone losing sleep on this one?

By now you have heard about a new bug in one of the most popular Unix shell programs, the Bourne-again Shell, or bash. If you run Mac OSX you probably have used bash, it is the default terminal app. Shellshock is a “bug” in the way Heartbleed is a “bug.” A mistake in implementing code. Shellshock allows anyone (or anything) that has shell access to execute arbitrary code.

ShellShock Bug In Bash Could Spawn Worm - Forbes

 

[Qyöt27]

There still has to be a certain point-of-access, and as always, protecting oneself is a matter of performing regular updates. Even though Debian and Ubuntu use Dash for general script execution (and this reduces their vulnerability to Shellshock*, although they've used Dash for years just because it's faster), there was an update that came through the pipeline last night for bash, I assume in the effort to begin tackling this.

The overall scenario seems to be mostly of concern for those who do operations with external services - SSH, Apache servers, etc. While Apple will eventually get OSX's default version of bash patched, in general it's better to switch bash's update path to the builds provided by Homebrew. Mainly because Apple ships OSX with bash 3.2 (with minimal backported patches, which is where the fix will come), while Homebrew provides the latest stable version (currently 4.3, plus the regular urgent security patches and bugfixes any normal repo system will update their builds for). For reference, bash 3.2 was released in 2006, and stopping getting regular patches after November of 2008, and had no patches from March 17th, 2010 until 2 days ago, when the news of this broke. 4.3 was released as stable 7 months ago, and is still being regularly updated, because it's the current version.

*Patch Bash NOW: 'Shellshock' bug blasts OS X, Linux systems wide open ? The Register

Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway. It's essential you check the shell interpreters you're using, and any Bash packages you have installed, and patch if necessary.

As long as the user already has Homebrew installed, it's possible to switch bash over to Homebrew's by doing the following:

# Install bash 4.3 from Homebrew:
brew install bash

# Change the permissible login shell to Homebrew's build of bash:
sudo open -a TextEdit.app /etc/shells

# Change '/bin/bash' to '/usr/local/bin/bash', save, and exit TextEdit.

# Force the old version of bash out of the execution path for the Terminal by renaming it:
sudo mv /bin/bash /bin/bashold

# Symlink Homebrew's to /bin/bash so that existing shell scripts still work:
sudo ln -s /usr/local/bin/bash /bin/bash

That will make it to where only Homebrew's is seen when the user types in 'bash', and the Terminal will use it instead of the default one. You can see this by typing in 'bash --version' and looking at the readout. You may need to close and re-open the Terminal to get it fully refreshed. Generally, I'd trust Homebrew to get any patches and updates out faster than Apple would anyway, and this makes it simple to do so.

And yes, Homebrew's version of bash is 4.3.26, meaning it has all of the current patches applied. It actually updated to .26 while I was in the process of writing up that set of instructions. I'd installed it a couple minutes earlier, as .25, and voila, an update came down before I logged off, the same day as the .26 patch was uploaded to the GNU mirror linked to above.

 

[Sketcher]

It's really as simple as updating your binary through your OS's approved package manager. If there weren't two updates to bash in the last two days to address this, then your distro's security team fails at life. Get the update, then test. Here's another way to test:

http://www.liquidweb.com/kb/information-on-cve-2014-6271-bash-vulnerability-shell-shock/

 

[FreedByte]

Already updated bash

 

[lesliedellow]

Time for Windows users to gloat.

 

[Sketcher]

Time for Windows users to gloat.

About what exactly? I also use Windows.

 

[FreedByte]

Time for Windows users to gloat.

 

[FreedByte]

About what exactly? I also use Windows.

He's trying to imply that Windows users should gloat in the fact that Windows is unaffected by the bash security flaw, when in reality the security of Windows pales in comparison to the security of Linux.

 

[Sketcher]

He's trying to imply that Windows users should gloat in the fact that Windows is unaffected by the bash security flaw, when in reality the security of Windows pales in comparison to the security of Linux.

I know this. I don't think he does.

 

[FreedByte]

I know this. I don't think he does.

idk

 

[lesliedellow]

About what exactly? I also use Windows.

Linux users are always on about how "secure" Linux is, and how "insecure" Windows is. What they really mean is that virus writers mostly don't bother themselves with something which has only around 3% of the market.

 

[FreedByte]

3% of the market.

of the non-mobile, non-server market.

 

[EphesiaNZ]

Linux users are always on about how "secure" Linux is, and how "insecure" Windows is.

Nothing is secure but the above quote holds fairly true.

What they really mean is that virus writers mostly don't bother themselves with something which has only around 3% of the market.

It's called security by obscurity. Long may it continue.

Fact: 95% of the worlds super computers run Linux.

Fact: Linux dominates totally in data centers across the world.

Fact: Windows still dominates the desktop but the desktop market is a shadow of its former self.

Fact: The following link shows how Linux has failed (NOT) in the mobile space,

https://en.wikipedia.org/wiki/Linux_adoption#mediaviewer/File:World_Wide_Smartphone_Sales.png

Fact: Windows only claim to fame (usage) is now the dwindling desktop market. In all other categories it is pretty much a minor player.

If you look at the total device market share worldwide, you will see that 3% is a rather low figure. Maybe multiply that figure by 20 and that might reflect the true picture.

 

[FreedByte]

If you look at the total device market share worldwide, you will see that 3% is a rather low figure. Maybe multiply that figure by 20 and that might reflect the true picture.

Yep, since Android devices run the Linux kernel and make up 47% of the mobile market [source] and Linux runs over half of the world's webservers [source], I'd say it has done pretty well.

Linus Torvalds explaining why Linux is successful in mobile and server spheres but isn't successful on the desktop:

Q&A session with Linus Torvalds: Why is Linux not competitive on desktop? - YouTube

 

[Sketcher]

Linux users are always on about how "secure" Linux is, and how "insecure" Windows is. What they really mean is that virus writers mostly don't bother themselves with something which has only around 3% of the market.

And they know the benefits of only installing software through trusted repositories, as well as the speed at which the open source community is able to patch flaws, and the user account model that Linux uses. I have run into accounts that were hacked for months on end due to flaws in installed web apps, but the server itself was not compromised - the infection was locked into those accounts, and those accounts only. What is the earliest version of Windows where this has been known to happen?