[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help] 

Status: Not Logged In; Sign In

The CDC Planned COVID Quarantine Concentration Camps Nationwide

NASA staff beg Elon Musk to 'clean house' after agency spent millions of Americans' money on DEI agenda

Sanctuaries Freed 22,000 Criminal Aliens Sought by ICE Under Biden

"Human Please die": Chatbot responds with threatening message

Antifa Groups Recruiting, Organizing And Mobilizing For Violence During Donald Trump's Second Term In Office

Joe Biden's "WTH" Moment of the Day with President of Peru.....

Germany: Police Raid Pensioner's House, Drag Him To Court After He Retweets Meme Calling Green Minister "Idiot"

Israel's Most Advanced Tank Shredded To Pieces In Gaza

Chinese Killer Robo Dog

Israeli Officials Belatedly Claim Secret Nuclear Site Destroyed In Last Month's Iran Strikes

Lake County California Has Counted Just 30 Percent of Votes – Ten Days After Polls Closed!

Real Monetary Reform

More Young Men Are Now Religious Than Women In The US

0,000+ online influencers, journalists, drive-by media, TV stars and writers work for State Department

"Why Are We Hiding It From The Public?" - Five Takeaways From Congressional UFO Hearing

Food Additives Exposed: What Lies Beneath America's Food Supply

Scott Ritter: Hezbollah OBLITERATES IDF, Netanyahu in deep legal trouble

Vivek Ramaswamy says he and Elon Musk are set up for 'mass deportations' of millions of 'unelected bureaucrats'

Evidence Points to Voter Fraud in 2024 Wisconsin Senate Race

Rickards: Your Trump Investment Guide

Pentagon 'Shocked' By Houthi Arsenal, Sophistication Is 'Getting Scary'

Cancer Starves When You Eat These Surprising Foods | Dr. William Li

Megyn Kelly Gets Fiery About Trump's Choice of Matt Gaetz for Attorney General

Over 100 leftist groups organize coalition to rebuild morale and resist MAGA after Trump win

Mainstream Media Cries Foul Over Musk Meeting With Iran Ambassador...On Peace

Vaccine Stocks Slide Further After Trump Taps RFK Jr. To Lead HHS; CNN Outraged

Do Trump’s picks Rubio, Huckabee signal his approval of West Bank annexation?

Pac-Man

Barron Trump

Big Pharma-Sponsored Vaccinologist Finally Admits mRNA Shots Are Killing Millions


Science/Tech
See other Science/Tech Articles

Title: Worse than Heartbleed: ‘Shellshock’ Bash bug threatens millions of computer systems worldwide
Source: [None]
URL Source: [None]
Published: Sep 26, 2014
Author: staff
Post Date: 2014-09-26 02:02:42 by Tatarewicz
Keywords: None
Views: 251
Comments: 11

RT...

A vulnerability has been discovered within the widely used Bash software included on Linux and Mac operating systems, raising concerns about an exploit that some experts say stands to be more damaging than the Heartbleed bug identified earlier this year.

Researchers revealed on Wednesday this week that a bug has been spotted in Bash — a command-line shell developed in the 1980s and common to Linux and Unix systems — the likes of which may allow attackers to target computers and, if successful, run malicious codes that could let them take control of entire servers pertaining to potentially millions of machines.

But while the so-called Heartbleed bug found in April allowed hackers to spy on vulnerable systems due to a previously undiscovered flaw in the open-source encryption software called OpenSSL, security experts say already that the Bash exploit — being referred to as “Shellshock”— is more severe because exploiting it could allow attackers to seize systems that are vulnerable by running unauthorized code that, in a worst case scenario, gives them full privileges on the plundered machine.

"The method of exploiting this issue is also far simpler,” Dan Guido, the chief executive of a cybersecurity firm Trail of Bits, told Reuters on Wednesday this week of the differences. “You can just cut and paste a line of code and get good results.”

After discovery of Shellshock was identified by researcher Stephane Schazelas on Wednesday, the United States Computer Emergency Readiness Team, or US-CERT, acknowledged the severity of the issue by releasing a statement warning that “exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.”

Heartbleed logo

“In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run,” security company Symantec said in a warning on Thursday.

"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, added to Reuters. "Anybody with systems using Bash needs to deploy the patch immediately."

On the government’s official CERT website, a statement tells visitors to read a Wednesday blog post on the website of security company Red Hat where researchers said patching the exploit was a “critical priority” and, given the “pervasive use of the Bash shell,” should be acknowledged by everyone as a serious vulnerability. Separately, the National Vulnerability Database — a group sponsored by the US Department of Homeland Security, CERT and the National Institute of Standards and Technology — gave the bug a rating of “10” in terms of severity, its highest.

Among those who say Shellshock poses a bigger risk than Heartbleed is Robert Graham, a computer expert at co-founder of Errata Security, who tweeted this week that “enough systems are vulnerable for this to be a real concern.”

“Luckily, since bash is open-source, this bug was quickly found before it became widely deployed,” Graham tweeted, but with the caveat: “This ‘bash’ bug is probably a bigger deal than Heartbleed.”

Indeed, a preliminary scan conducted by Graham this week discovered no fewer than 3,000 vulnerable systems. “Consequently,” he wrote, “…this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would ‘game over’ for large networks.”

Patches have since been released that are intended to prevent attacks from exploiting the Bash bug, but the Red Hat security blog said on Thursday that attempts to fix the glitch have so far been incomplete.

Post Comment   Private Reply   Ignore Thread  


TopPage UpFull ThreadPage DownBottom/Latest

#1. To: Tatarewicz (#0)

Thanks for the heads up.

Pinguinite  posted on  2014-09-26   4:31:26 ET  Reply   Trace   Private Reply  


#2. To: Pinguinite, Tatarewicz, Lod, Jethro Tull, christine, Horse, All (#1)

More on this very serious computer virus....

Hackers are already exploiting the Shellshock bug, as we speak, because "fixes" are proving to be ineffective - they are going after the servers:

www.theglobeandmail.com/t...ffective/article20791606/

snip

Shellshock is a flaw in a ubiquitous interface that affects a wide range of computer systems and computer-driven devices.

“We have billions of devices on the Internet and we’re still going to see millions that have this problem,” Josh Bressers, a member of the security response team at the North Carolina technology firm Red Hat, said in an interview.

The bug was discovered by a French programmer who was worried that the interface was behaving in a “naive way” and was open to accepting malicious code.

“The only people who don’t have to worry about it are people who are running Windows consumers PCs or devices that are smaller than five centimetres by five centimetres,” Prof. Skillicorn said.

“Absolutely everything in between is almost certainly affected.”

This, he said, could include computers running on Linux and Mac OS X operating systems, website servers, Internet-enabled devices such as remote webcams, Wifi routers, cable modems, even Internet-enabled appliances.

Major security firms were sending out patches to remedy the problem.

scrapper2  posted on  2014-09-26   12:05:28 ET  Reply   Trace   Private Reply  


#3. To: scrapper2, Pinguinite, Tatarewicz, Lod, christine, Horse, All (#2)

Shellshock is a flaw in a ubiquitous interface that affects a wide range of computer systems and computer-driven devices.

Can someone give me an entry level explanation on what I need to do in order to protect this Tandy PC of mine?

Jethro Tull  posted on  2014-09-26   18:21:53 ET  Reply   Trace   Private Reply  


#4. To: Jethro Tull, scrapper2, Tatarewicz, Lod, christine, Horse, All (#3)

Solid info is not around yet, but apart from completely disconnecting from the internet, there's not much most people who's PC's and such are vulnerable can actually do at this point. You are either vulnerable, or not.

If you are running windows only, you are safe.

Linux and Apple systems are potentially vulnerable.

If you have a router and it's running "BASH" (Bourne Again SHell), which is a linux program which accepts and processes commands, it *could* be vulnerable. BASH is the program which contains this bug. I don't know yet how you can tell if your router uses BASH.

Because BASH has been around for such a long time, many other independent devices have it incorporated. Patching them will be the biggest challenge because such devices generally are never updated.

For the most part, linux servers, such as web servers, contain this bug and are will be the first to be targeted.

If you do have a linux system, run your update manager frequently to try to get the patch as soon as it's available.

BTW, to test your linux system, you can open up a terminal window and paste this into it and press return:

---------------------
x='() { :;}; echo VULNERABLE' bash -c :
---------------------

If you get "VULNERABLE" printed on your screen, you have the bug. If you get something like:

---------------------
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
---------------------

Then your system is patched and you're safe.

Pinguinite  posted on  2014-09-27   13:02:27 ET  Reply   Trace   Private Reply  


#5. To: Pinguinite (#4)

Thanks Neil. I got vulnerable, now I will see if they have a patch yet. Thanks again.

Americans who have no experience with, or knowledge of, tyranny believe that only terrorists will experience the unchecked power of the state. They will believe this until it happens to them, or their children, or their friends. Paul Craig Roberts

"When plunder becomes a way of life for a group of men living together in society, they create for themselves in the course of time a legal system that authorizes it and a moral code that glorifies it." Frederic Bastiat

James Deffenbach  posted on  2014-09-27   15:24:04 ET  Reply   Trace   Private Reply  


#6. To: All (#5)

Updated and now I get what you said I should when it was safe.

Americans who have no experience with, or knowledge of, tyranny believe that only terrorists will experience the unchecked power of the state. They will believe this until it happens to them, or their children, or their friends. Paul Craig Roberts

"When plunder becomes a way of life for a group of men living together in society, they create for themselves in the course of time a legal system that authorizes it and a moral code that glorifies it." Frederic Bastiat

James Deffenbach  posted on  2014-09-27   15:32:42 ET  Reply   Trace   Private Reply  


#7. To: James Deffenbach (#6) (Edited)

What linux are you running?

Oh.... there have been patches issued, but also warnings that they are not complete, so keep doing updates for the next week or two.

Pinguinite  posted on  2014-09-27   15:53:05 ET  Reply   Trace   Private Reply  


#8. To: Pinguinite (#7)

I use PCLOS. I usually update pretty often but this time I got a new team viewer (updated version of it anyway--I had 8 and now it's 9).

Americans who have no experience with, or knowledge of, tyranny believe that only terrorists will experience the unchecked power of the state. They will believe this until it happens to them, or their children, or their friends. Paul Craig Roberts

"When plunder becomes a way of life for a group of men living together in society, they create for themselves in the course of time a legal system that authorizes it and a moral code that glorifies it." Frederic Bastiat

James Deffenbach  posted on  2014-09-27   16:29:15 ET  Reply   Trace   Private Reply  


#9. To: Pinguinite (#4)

Neil, would you mind if I posted this info on fb? There are probably people who post there who use Linux and Macs who don't know about this bug. I will give you credit for it under your real name or Pinguinite.

Americans who have no experience with, or knowledge of, tyranny believe that only terrorists will experience the unchecked power of the state. They will believe this until it happens to them, or their children, or their friends. Paul Craig Roberts

"When plunder becomes a way of life for a group of men living together in society, they create for themselves in the course of time a legal system that authorizes it and a moral code that glorifies it." Frederic Bastiat

James Deffenbach  posted on  2014-09-27   16:31:17 ET  Reply   Trace   Private Reply  


#10. To: James Deffenbach (#9)

Please don't credit me at all. I'm just learning this myself from other websites. I frankly don't understand much about how bash works under the hood. But thanks for asking.

Pinguinite  posted on  2014-09-28   3:16:10 ET  Reply   Trace   Private Reply  


#11. To: Pinguinite (#10)

Thank you. It may help someone just as it did me.

Americans who have no experience with, or knowledge of, tyranny believe that only terrorists will experience the unchecked power of the state. They will believe this until it happens to them, or their children, or their friends. Paul Craig Roberts

"When plunder becomes a way of life for a group of men living together in society, they create for themselves in the course of time a legal system that authorizes it and a moral code that glorifies it." Frederic Bastiat

James Deffenbach  posted on  2014-09-28   5:25:59 ET  Reply   Trace   Private Reply  


TopPage UpFull ThreadPage DownBottom/Latest


[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help]