Thursday, September 25, 2014

PSA: “Shellshock”

PSA: If you use any form of *nix as your operating system – some form of Unix, Linux, or Mac OS X – and you have the Bash shell installed, you may want to see about updating it. This is because of a newly-disclosed critical vulnerability in it (dubbed by some “Shellshock”) that could potentially allow an attacker to execute arbitrary code with a specially formed attack. (If you're on Windows you're probably ok, unless [possibly] you're using something like cygwin, in which case you're probably tech-savvy enough to look up how to fix it.)

It's quite easy to check if your version of Bash is vulnerable: open up a terminal window and run:

> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Should Bash be vulnerable, it'll return:

> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> vulnerable
> this is a test

If it's not vulnerable, you should just get back “this is a test” and possibly a warning about Bash ignoring an attempted function definition. If it does return vulnerable, you'll want to see about updating your version of it as soon as possible (most [all?] of the major Linux vendors have released patches, and Apple is expected to do so soon). Basically, instead of a harmless “echo vulnerable” (which just prints the word “vulnerable” to the terminal), an attacker could potentially put a much more harmful command in there, which in the right circumstances could do a lot of damage.

One noteworthy feature of this bug is that it's apparently been around for something like twenty years (Bash is fairly old as software goes), so it's expected to be found in as incredible number of devices, including a large number of the servers that host the World Wide Web.

It's still early yet to see what will come out of this, but it's likely to be a serious security issue for quite some time due to the difficulty of getting everything patched.

(I was feeling creative tonight, though I may have been a bit too literal.)

Edit (9/27/14): I wasn't entirely happy with that version so I went back and played around with it some more and made a few more versions (and learned some useful lessons about Inkscape in the process). Here's the version I currently like the most:

No comments:

Post a Comment

Think I said something interesting or insightful? Let me know what you thought! Or even just drop in and say "hi" once in a while - I always enjoy reading comments.