Bash security flaw in OS X and Linux

Gary · Sep 25, 2014, 08:41:25

Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X and Linux which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

http://forums.macrumors.com/showthread.php?t=1789537

OS X is vulnerable with the latest 10.9.5 patch.

psp83 · Sep 25, 2014, 13:44:58

BBC News has a post about it as well : http://www.bbc.co.uk/news/technology-29361794

Technical Ben · Sep 25, 2014, 18:46:03

http://youtu.be/aKShnpOXqn0

Quick explanation.

zappaDPJ · Sep 25, 2014, 19:13:03

The question nobody seems to be asking is how a bug as serious as this one could go unnoticed for decades. Bourne-Again Shell (BASH)... used by millions, maintained by just one man. Where's the quality assurance in that?

mervl · Sep 26, 2014, 11:27:13

Quote from: zappaDPJ on Sep 25, 2014, 19:13:03
The question nobody seems to be asking is how a bug as serious as this one could go unnoticed for decades. Bourne-Again Shell (BASH)... used by millions, maintained by just one man. Where's the quality assurance in that?

Quite simple, I'd have thought: everyone wants the latest new thing, and takes what we have for granted. Can hardly blame anyone for giving us what we want. Same as the problems in any other area of life, really.

zappaDPJ · Sep 26, 2014, 12:17:36

Quite likely, it just amazes me that not one of the major corporations who use the code thought to check its source.

Technical Ben · Sep 26, 2014, 18:00:17

It's the usual. Do you wish to try all bazillion combinations of input to test if they all pass correctly?

It's known as the "hard" problem in computing. The NP problem, or the halting problem. There is no easy way to do it, and it would be impossible cover the costs of testing every iteration.

zappaDPJ · Sep 26, 2014, 20:16:25

It's not about stress testing the code, it's more looking into the origin of it. This is a fairly small amount of code written by just one programmer and maintained by another for the last three decades. That code has become an open invitation to mayhem on 500,000,000+ machines. The nature of the security hole gives some indication that nobody has ever taken even the most cursory glance at it which I find quite incredible. I mean think of the potential consequences if the coder was a terrorist...

Technical Ben · Sep 27, 2014, 08:06:15

AFAIK it's not that simple. It happens on all software. Once you get to a certain level of complexity, all the eyes in the world still take a long time to discover anything.

Was this not open source too? So it did have more than 2 eyes on it?

mervl · Sep 27, 2014, 11:16:59

I'm not a programmer, obviously. But the world was different 30 years ago. And AFAIK some hardware suppliers don't use bash commands for their associated software (as a conscious decision, presumably). But for the rest, isn't it the case that if some major "top of the tree" users such as the American DoD and the security agencies use something then it tends to be "taken on trust" by the rest? Normal human behaviour. And not least because doesn't much IT development and top staff, originally come from the military? Command is all. And bankers, accountants and civil servants are lazy, and remarkably ignorant when it comes to IT.

psp83 · Sep 27, 2014, 12:05:33

It is bad though that a simple bit of text isn't escaped or parsed properly..

All you have to do is enter this () { :;}; then a command after it.. e.g. () { :;}; rm -rf /

Then say bye bye to the whole system

pctech · Sep 27, 2014, 18:49:09

Surely an argument for not connecting absolutely everything to the Internet?

zappaDPJ · Sep 27, 2014, 20:18:27

Quote from: pctech on Sep 27, 2014, 18:49:09
Surely an argument for not connecting absolutely everything to the Internet?

I still firmly believe that if you going to use somebody else's code you should at least check out the developer's credentials and ideally QA his code.

A week ago I bought an add-on for a particular forum software which came from a highly respected add-on developer. It's a very powerful and popular add-on used by thousands forums. While checking it out I found the add-on was dialling home. The developer claimed it was an anti-piracy tool so I hired a better coder than I who found the add-on was actually sending back sensitive data. Even worse it continued to do so after being uninstalled.

Virtually all my income comes from the Internet, mainly from forums these days. I use somewhere between 15 and 50 add-ons per forum and I check each and everyone of them. I can't afford not to. If I do it I really don't see why the bigger fish don't do it

Either way they are starting to pay for it now. The Shellshock bug has now given birth to the 'Wopbot' botnet which launched a ddos attack against servers hosted by content delivery network Akamai. That's a pretty major scalp and no doubt the first of many. It's hard to say what's to come because nobody knows but it might be worth fashioning a tinfoil hat just in case

pctech · Sep 28, 2014, 15:16:12

Considering how deeply embedded Akamai is in the fabric of the net then yes that's definitely worrying.