Thursday, September 25, 2014

Shellshock

If you have any responsibility for computers running Linux, the last couple of days have been busy. Yesterday afternoon, we all heard of an old but newly discovered vulnerability in the bash (Bourne-again shell) shell, which today is being called "Shellshock". The problem is that unpatched versions of bash accept without sufficient checking environment settings from the invoking program: environment settings can be designed to cause another program invocation.. This means, in the gravest case, that somebody with a web browser can cause your system to create an account for him, open the firewall, email passwords, etc.

If you have a Linux system or Mac at your disposal, you can test for this by entering
VAR="() { ignore; }; /bin/uname -a"; bash
You should get an error message. If you get information about your operating system, it's time to update bash. If it takes more than five minutes to do so, it is probably because you are running an obsolete version of Linux.  Figure out now how you will upgrade. It is a very bad idea to let your Linux installation get too old.







No comments:

Post a Comment