Bookmark This! posted by

The Plain Man’s Guide to What The Massive Shellshock Bug Means For You

shellshock
[image]

The big tech news of the moment, and probably of the year or decade, is the revelation about a massive security hole in something called Bash, which is an arcane bit of geek code which is installed on many of the computers which power and host the Internet (and also Apple Mac computers). Here’s our plain man’s guide to what it means for you.

1. Over 51% of all web servers (i.e. websites) are running on the Linux operating system. Bash was historically a commonly used software component of Linux. Therefore the vulnerability instantly makes all these machines potentially susceptible to attack. That is a Very Big Deal. Because Apple Macs also use Linux as the basic system, this means Macs are also vulnerable. But see below.

2. The exploit only affects web servers directly, i.e. computers which are connected to the Internet, and operate webcode or websites. So your laptop computer will likely not be vulnerable unless you have some web server programs installed. In addition this web server code needs to include CGI and Bash for it to be exploitable. Very geek.

3. It is not clear how many web server computers are vulnerable, because it is not clear how much CGI and Bash is still being used. Most websites now use newer technologies, but there are still a not insignificant number of web computers using ‘back-end’ functions where Bash/CGI may be employed. However in general terms, Linux hardware like Android phones and home Internet routers should be safe, because they do not use those components.

shellshock3
[image]

4. In order for the most serious part of the exploit to be run, the attacker needs to have access to the system in the first place (i.e. login, permissions etc), which immediately means the server then has much more of a security problem than just Shellshock. However, there is a form of attack where a remote attacker could add a nasty command to a web browser, which could suck private data from a web server like passwords, or other private information. This second form of attack is the one which worries security people the most.

5. Almost all of the major distributions of Linux have already had patches installed. Shellshock is therefore primarily of concern mainly for older, or small business computer installations, which may be running unpatched (i.e. unfixed) versions for a long period. Apple has yet to issue a patch for the problem. Similarly older or smaller web hosting services with sloppy security and upgrade procedures will be vulnerable.

6. How to test if your computer is vulnerable (warning – geek stuff): Run –

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If your computer is OK, you will see :

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

If your computer is NOT OK, you will see:

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test

7. How to fix your computer if it is vulnerable (see above warning):
1) open a terminal
2) type “sudo yum -y update bash”
3) wait until it says it’s finished, then log out of your computer and log back in.

8. Just to repeat: Shellshock is not a problem in and of itself if your device is securely protected by having authentication on all open ports, and full blown security systems in place around the CGI/Bash implementation. So while there are 78 million web servers which may potentially be vulnerable right now, it will still require the other components of the attack to be in place. Even so, one estimate suggests that between 3000 and 3 million computers (!) POSSIBLY could be vulnerable.

9. Again, if you do not run a web connected computer with CGI and Bash components installed, you will not be vulnerable at all. Windows itself is not vulnerable, it is only Linux systems (and to a lesser degree ordinary consumer Apple Macs). Despite rumours, there are no reports as yet of small Linux hardware devices (e.g. GPS, phones, security etc) being vulnerable, because most of them do not use Bash.

shellshockscanner

10. You can use this Shellshock Scanner to test whether your website or webserver is vulnerable to the problem.

Note: You can read an excellent, more technical, summary of the bug here.

Nigel is the managing editor of the Red Ferret, as well as a freelance columnist for the Sunday Times newspaper in London. Loves tech and fancies himself as a bit of a futurist, but then don’t we all?

Nigel – who has written posts on The Red Ferret Journal.


Comments are closed.

comments powered by Disqus

Side Advert

Chinavasion
DHgate Cheap electronics gadgets
BRANDO
Firebox

FB Like Box

Personnel

Managing Editor:
Nigel Powell

Deputy Editor:
Donyae Coles
Editor at Large:
Dan Ferris
Senior Ecological Editor:
Debra Atlas
Senior Motoring Editor:
Nick Johnson
Reviews Editor:
Simon Bossuyt

Write For Us

Red Ferret Video Reviews