Is anything reallly safe?

**Pat Barry** · 09-29-2014, 12:48 PM

I recall discussions touting UNIX systems (Linux I believe) as being the answer to various security issues present in Windows machines and then I read this today:
http://mobile.extremetech.com/comput...ternet-updated

Maybe its time we all just give up .!?

**Pat Barry** · 09-29-2014, 12:55 PM

I love this quote from the article:
"Amusingly enough, our best hope for mitigating Shellshock quickly is if a white hat hacker creates a worm that uses the Shellshock vulnerability to automatically spread across the internet, patching vulnerable computers and devices as it goes"
We need a super-hero to come in and save the day!

**Brian Elfert** · 09-29-2014, 1:14 PM

I view this flaw as relatively minor. Someone would have to exploit another flaw or hole in the server's software to make use of this. That said, servers I am responsible for are already patched.

**Pat Barry** · 09-29-2014, 1:20 PM

Hey Brian, how long ago did you install the patches for this? The article makes it sound like this was a just discovered problem.

**Duane Meadows** · 09-29-2014, 2:24 PM

I am also patched against at least the first flaw. The patch was available very shortly after discovery. That usually happens with Linux. It appears at least one more vulnerability(such as Apache) is needed as well.

I suspect a much higher percentage of Linux users keep software updated than windows users, also. Could be wrong, though.

**Curt Harms** · 09-30-2014, 7:55 AM

Originally Posted by Duane Meadows

I am also patched against at least the first flaw. The patch was available very shortly after discovery. That usually happens with Linux. It appears at least one more vulnerability(such as Apache) is needed as well.

I suspect a much higher percentage of Linux users keep software updated than windows users, also. Could be wrong, though.

I got one patch the day before news of the Bash problem was released, and a second patch a couple days later. I set my machines to automatically download and install security patches. I check for updates on non-security related patches occasionally. Touch wood, I haven't had an automatically downloaded security fix on a released version cause a function problem that I can recall. What is missing (I'm using Ubuntu Gnome) is a notice that a restart is necessary after automatically applying a security patch. In my experience Linux doesn't require as many restarts after applying updates as Windows but patching a few parts do require a restart.

I wonder if the concern about embedded devices is overstated. The flaw is with BASH. From what I've read, it sounds like most devices with embedded Linux such as routers or set top TV boxes don't use BASH but rather busybox or other shell that doesn't have this vulnerability.

**Phil Thien** · 09-30-2014, 9:23 AM

Originally Posted by Brian Elfert

I view this flaw as relatively minor. Someone would have to exploit another flaw or hole in the server's software to make use of this. That said, servers I am responsible for are already patched.

Shellshock is EXTREMELY serious, as it provides root privileges to the malicious code. So if I was a complete a$$-hat, I could manipulate an unpatched shared web server by invoking bash.

**John Coloccia** · 09-30-2014, 9:30 AM

Honestly, I'm not exactly sure this is a "bug", per say. In fact, I would almost go as far to say that I may even remember noticing this years and years and years ago, and thought nothing of it (because I don't really know much about CGI). I'll bet you when it's "patched", it will break a great many things.

I really find it odd that such a gaping hole has gone undiscovered for so long. It's bordering on unbelievable, actually, and I mean unbelievable in the literal sense of, "just how stupid do you think I am?"

**glenn bradley** · 09-30-2014, 9:53 AM

Originally Posted by Pat Barry

I recall discussions touting UNIX systems (Linux I believe) as being the answer to various security issues present in Windows machines

So you have discovered their awful secret . . . Apples, 'UX' variants, network chassis and even your cell phone are all vulnerable to someone who has the wherewithal to work at it. We actually have more trouble with Linux and Macs than PC's on campus. Could be a trend due to Windows users getting bit all the time and the others buying the line that they're just inherently "safe". I am OS agnostic and run all sorts of machines at work.

**Andrew Pitonyak** · 09-30-2014, 10:27 AM

Seems that my Fedora computers are already patched.

Well, BASH was patched anyway. That fix came out very fast.

**Brian Elfert** · 09-30-2014, 10:43 AM

Originally Posted by Pat Barry

Hey Brian, how long ago did you install the patches for this? The article makes it sound like this was a just discovered problem.

Friday and again yesterday as new patches came out for a second flaw found in Bash.

**Jim Becker** · 09-30-2014, 12:01 PM

Reported on the 24th. Most vendors need a day or three to evaluate and then create patches. Red Hat and Oracle got busy with that and now others who use those OS have to apply and do regression testing to insure there is no application breakage. Nearly everyone rates this as a "high" risk and it's being taken very seriously. While MacOS is affected, the risk was apparently lower due to the way the OS handles certain authentication things. That said, Apple released a patch yesterday: http://support.apple.com/kb/DL1769?v...S&locale=en_US for Mavericks which is a simple installation with no restart required.

I do like that idea of the "white worm" that was brought up earlier in the thread!

Thread: Is anything reallly safe?

Thread Tools

Rate This Thread

Display

Is anything reallly safe?

Posting Permissions