Shellshock: Bash software bug leaves up to 500 million computers at risk of hacking

[Lynx-lynx]

Mmmm .... I don't know about anyone else but I don't think there'll ever be a 'safe' website.

Quote:

As many as 500 million computers may be at risk from a new software bug dubbed Shellshock that could give hackers a doorway to your desktop.

It is not yet clear exactly how many systems and what type of computers are vulnerable to Shellshock, but researchers say the vulnerability could be worse than the Heartbleed bug that recently put the data of millions of people at risk.

except of article:

Spoiler:

Professor Alan Woodward, a security researcher with the Department of Computing at the University of Surrey in England, said the bug was "potentially huge".

"If you just take the number of websites there are, last week we passed the billion mark, there are now over a billion active websites on the internet and over 50 per cent of those, so 500 million are running this software," he told the ABC's AM program.

"Even if only a tiny fraction of those, we could be talking tens of millions of computers that are vulnerable."

He said it could allow hackers to take control of devices.

ABC link: http://www.abc.net.au/news/2014-09-2...t-risk/5770952

Free software foundation website: http://www.fsf.org/news/free-softwar...-vulnerability

[QuantumIguana]

Passwords ought to be abolished. People have so many passwords that they can't remember them all and the use the same ones over and over or they use very simple passwords, which makes it easy to guess. And thieves can steal credit card information. We have the technology to do away with such primitive things as passwords.

[darryl]

The bug is in the bash shell which is used on most Linux systems and runs on most Unix type operating systems. While Linux is not even in the same ballpark as Windows so far as desktop use is concerned, it is used extensively on servers, including some banks, large companies, even, I seem to recall, at least one stock exchange. There is apparently a "proof of concept" floating around but so far I have seen no reports of any actual hacks.

Linux is my preferred operating system and I use it on my desktop and notebook I will continue to do so. Whilst Linux is a "safer" operating system than Windows it is neither completely safe nor immune. The lesson to be learnt here is that no operating system is completely safe from human ingenuity. We need to be realistic about the environment we are operating in and act accordingly.

If you have a Linux or Unix operating system you need to make sure that it is up to data and the version of bash on your system has been patched for this bug.

[gbm]

Within the last hour before this post updated bash for the third time today.

bernie

[Jessica Lares]

There are some third-party fixes for OS X floating around, Apple is working on thei own though.

Thy have said that unless you're messing around with it yourself, there shouldn't be a problem to begin with. Basiclly, if you're not running code or a server, you shouldn't be worried.

[arjaybe]

Quote:

As many as 500 million . . .
It is not yet clear . . .
could be worse than . . .

All guesswork and fear-mongering. My desktop received patches almost before I heard about it, and my hosting service has already advised me of their patches.

I've seen people saying that this is even less dangerous than Heartbleed. It's only getting the big blow-up because it's not Windows.

[HomeInMyShoes]

It is more dangerous than Heartbleed because Heartbleed really only allowed looking, not actually controlling as this one does. From a privacy protection standpoint it is a similar risk, but there is more at risk than just passwords and credit card information.

[ShellShock]

You are all at the mercy of my evil master plan, mwahahaha

[taustin]

Quote:

Originally Posted by arjaybe

All guesswork and fear-mongering.

I'll say. NPR did a piece on it yesterday, and the expert they were interviewing did not seem to be aware this does not affect Windows. The host, of course, was unaware of what an operating system is.

[Apache]

Quote:

Originally Posted by taustin

I'll say. NPR did a piece on it yesterday, and the expert they were interviewing did not seem to be aware this does not affect Windows. The host, of course, was unaware of what an operating system is.

Apache

[jgaiser]

It's important if you have an internet facing system. It is most definitely *not* 500 million computers. The majority of Linux systems are *not* internet servers and as such someone would have to get direct access to the machine and at the point it wouldn't matter. Update you systems. Quickly update your systems if they are serving up cgi or php. Take a deep breath. The world is not ending.

[Solicitous]

Quote:

Originally Posted by arjaybe

All guesswork and fear-mongering.

Oh not really. I can confirm 2 out of those 500 million computers are at risk. I checked my laptop this morning and it came back as being vulnerable (and I can only assume given the age of my media centre that it vulnerable too).

[arjaybe]

Quote:

Originally Posted by Solicitous

Oh not really. I can confirm 2 out of those 500 million computers are at risk. I checked my laptop this morning and it came back as being vulnerable (and I can only assume given the age of my media centre that it vulnerable too).

You're right. They did say "As many as 500 million . . ." so that would be anything from zero on up.-)

[Sregener]

Quote:

Originally Posted by darryl

Whilst Linux is a "safer" operating system than Windows it is neither completely safe nor immune.

At a fundamental level, it is the philosophy behind the software that makes Linux safer. This is for a few reasons.

First, the code is not secret. That means that many security flaws are quickly discovered, because many eyes can see them. Compare this to Windows/OS X which believe obscurity equals protection; they are counting on the fact that because you can't see the code, it will be harder to find the flaws that are there. Especially with Windows, one can see how this "security through obscurity" plays out in the real world.

Second, the code is available for anyone to fix. So patches are created almost instantly and plug holes, often before the public is even aware they exist. Compare the response time of the Linux patch to a typical Windows response of "we'll have a patch ready in a week or two to fix this issue." So instead of hearing that our systems are going to be vulnerable for weeks or months, and being completely at the mercy of one company for that timing, many are discovering that not only is a patch already available for this flaw, they may have already installed it!

This doesn't mean I run Linux. I'm a Mac guy for the productivity tools and the ease-of-use experience I get there. But I firmly believe that Linux is one of the most secure systems for the two reasons listed above, and if I were to run a server as opposed to a workstation, I'd be all over Linux. Nothing short of heaven is perfect, but Linux's security through openness has been a winning formula for years and will continue to be so.

[ShellShock]

Quote:

Originally Posted by Sregener

Compare this to Windows/OS X which believe obscurity equals protection; they are counting on the fact that because you can't see the code, it will be harder to find the flaws that are there.

Who do you mean by "they"? Microsoft and Apple? Where is your evidence for this statement? With Windows 7 I get regular security patches automatically downloaded. My experience is that Microsoft is extremely security aware, and do their utmost to quickly fix any security holes that are found. This is in their own commercial interest--they have to protect their reputation at all costs.

Quote:

Compare the response time of the Linux patch to a typical Windows response of "we'll have a patch ready in a week or two to fix this issue."

Again, do you have any evidence for this statement? Who are you quoting? My personal experience with Microsoft and Windows 7 is that I get a lot of security patches for things that I didn't even know were vulnerable, which seems to match what happens in the Linux world.

I don't see why you feel you have to bash Microsoft with a lot of unsubstantiated claims, in a thread about a Linux security flaw.