It's quite easy to check if your version of Bash is vulnerable: open up a terminal window and run:
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Should Bash be vulnerable, it'll return:
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> vulnerable
> this is a test
If it's not vulnerable, you should just get back “this is a test” and possibly a warning about Bash ignoring an attempted function definition. If it does return vulnerable, you'll want to see about updating your version of it as soon as possible (most [all?] of the major Linux vendors have released patches, and Apple is expected to do so soon). Basically, instead of a harmless “echo vulnerable” (which just prints the word “vulnerable” to the terminal), an attacker could potentially put a much more harmful command in there, which in the right circumstances could do a lot of damage.
One noteworthy feature of this bug is that it's apparently been around for something like twenty years (Bash is fairly old as software goes), so it's expected to be found in as incredible number of devices, including a large number of the servers that host the World Wide Web.
It's still early yet to see what will come out of this, but it's likely to be a serious security issue for quite some time due to the difficulty of getting everything patched.
(I was feeling creative tonight, though I may have been a bit too literal.)
One noteworthy feature of this bug is that it's apparently been around for something like twenty years (Bash is fairly old as software goes), so it's expected to be found in as incredible number of devices, including a large number of the servers that host the World Wide Web.
It's still early yet to see what will come out of this, but it's likely to be a serious security issue for quite some time due to the difficulty of getting everything patched.
(I was feeling creative tonight, though I may have been a bit too literal.)
Edit (9/27/14): I wasn't entirely happy with that version so I went back and played around with it some more and made a few more versions (and learned some useful lessons about Inkscape in the process). Here's the version I currently like the most:
No comments:
Post a Comment
Think I said something interesting or insightful? Let me know what you thought! Or even just drop in and say "hi" once in a while - I always enjoy reading comments.