The Bash software bug may be bigger than Heartbleed, as it allows hackers to control the command prompt on many Unix computers.
The flaw in the shell, or command prompt software, could allow hackers to exploit a bug in Bash to take complete control of a targeted system.
Details of the flaw, which credited discovery to “Unix/Linux and telecom specialist “ Stephane Chazelas, said that this related to how environment variables are processed. As this vulnerability is exploitable over the network in many common configurations, especially if Bash has been configured as the system shell.
Speaking to IT Security Guru, Jason Steer, director of technology strategy at FireEye, said that the problem is that Unix and Linux is the backbone of the internet and unless you understand Linux and Unix, this could be a problem.
He said: “It is like you have preferences and how you like things, but they can be bypassed by not really closing off the entry point, which is a fundmental point of application security. From an enterprise perspective, many don’t run Unix or Linux and there is so much speculation and given that so many enterprises rely on Windows due to skillsets, only academics and Government have it and care about it as it comes down to the cost of support.
“From an end user perspective, there will not be much impact. Apple will release a patch, but this is more about systems and servers that may be vulnerable. It is about shopping and banking providers and are they doing everything to patch their systems which can impact your data.”
Steer said that there is still not an understanding of Heartbleed six months on, and we are struggling with flaws on the OWASP top 10 and if we cannot do that properly and focus on it, then next week there will be another bug and more media hype.
Following the discovery of the bug yesterday, the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Mac OS X.
Robert Graham, researcher at Errata Security, said in a blog said that this is bigger than Heartbleed as the bug interacts with other software in unexpected ways. “We know that interacting with the shell is dangerous, but we write code that does it anyway,” he said.
“An enormous percentage of softw
are interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the Bash bug.”
He also said that while known systems (like your web-server) are patched, unknown systems remain unpatched, and we are still seeing that with the Heartbleed bug,
Akamai chief security officer Andy Ellis said in his blog that the company had validated the existence of the vulnerability for “an extended period of time”.
He said: “We have also verified that this vulnerability is exposed in SSH – but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.”
To mitigate the problem, he recommended: upgrading to a new version of Bash; replacing Bash with an alternate shell; limiting access to vulnerable services; or filtering inputs to vulnerable services.
Steer said: “My question is what else is out there below the water? If you distill it to the essence of the story, it is that developers don’t do enough testing in quality assurance to secure the code before it goes out, and humans make bad decisions that we don’t sort out.”