Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Saturday, 30 September, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Bash bug disrupts Unix and Linux servers to hit internet

by The Gurus
September 25, 2014
in Editor's News
Share on FacebookShare on Twitter

The Bash software bug may be bigger than Heartbleed, as it allows hackers to control the command prompt on many Unix computers.
 
The flaw in the shell, or command prompt software, could allow hackers to exploit a bug in Bash to take complete control of a targeted system.
 
Details of the flaw, which credited discovery to “Unix/Linux and telecom specialist “ Stephane Chazelas, said that this related to how environment variables are processed. As this vulnerability is exploitable over the network in many common configurations, especially if Bash has been configured as the system shell.
 
Speaking to IT Security Guru, Jason Steer, director of technology strategy at FireEye, said that the problem is that Unix and Linux is the backbone of the internet and unless you understand Linux and Unix, this could be a problem.
 
He said: “It is like you have preferences and how you like things, but they can be bypassed by not really closing off the entry point, which is a fundmental point of application security. From an enterprise perspective, many don’t run Unix or Linux and there is so much speculation and given that so many enterprises rely on Windows due to skillsets, only academics and Government have it and care about it as it comes down to the cost of support.
 
“From an end user perspective, there will not be much impact. Apple will release a patch, but this is more about systems and servers that may be vulnerable. It is about shopping and banking providers and are they doing everything to patch their systems which can impact your data.”

Steer said that there is still not an understanding of Heartbleed six months on, and we are struggling with flaws on the OWASP top 10 and if we cannot do that properly and focus on it, then next week there will be another bug and more media hype.
 
Following the discovery of the bug yesterday, the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Mac OS X.
 
Robert Graham, researcher at Errata Security, said in a blog said that this is bigger than Heartbleed as the bug interacts with other software in unexpected ways. “We know that interacting with the shell is dangerous, but we write code that does it anyway,” he said.
 
“An enormous percentage of softw
are interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the Bash bug.”

 
He also said that while known systems (like your web-server) are patched, unknown systems remain unpatched, and we are still seeing that with the Heartbleed bug,

Akamai chief security officer Andy Ellis said in his blog that the company had validated the existence of the vulnerability for “an extended period of time”.
 
He said: “We have also verified that this vulnerability is exposed in SSH – but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.”
 
To mitigate the problem, he recommended: upgrading to a new version of Bash; replacing Bash with an alternate shell; limiting access to vulnerable services; or filtering inputs to vulnerable services.
 
Steer said: “My question is what else is out there below the water? If you distill it to the essence of the story, it is that developers don’t do enough testing in quality assurance to secure the code before it goes out, and humans make bad decisions that we don’t sort out.”

FacebookTweetLinkedIn
Tags: BashBugFlawLinuxUnix
ShareTweet
Previous Post

Apple was made aware of iCloud access flaw 6 months ago

Next Post

44CON 2014

Recent News

Guide to ransomware and how to detect it

Guide to ransomware and how to detect it

September 28, 2023
software security

Research reveals 80% of applications developed in EMEA contain security flaws

September 27, 2023
Cyber insurance

Half of organisations with cyber insurance implemented additional security measures to qualify for the policy or reduce its cost

September 27, 2023
Fraud and online banking

Akamai Research Finds the Number of Cyberattacks on European Financial Services More Than Doubled in 2023

September 27, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information