A newly discovered bug in the Bash shell can be exploited to run malicious code immediately after the shell is invoked in Linux and UNIX-based operating systems. Bash shell is one of the most-used utilities for Linux/UNIX. Some security experts are calling this bug “bigger than Heartbleed.”
For those not familiar with the term, the shell is the command language interpreter that executes the commands from input devices and files. In other words, it’s the software that acts as liaison between the keyboard, mouse, or executable file and the operating system kernel. Bash stands for Bourne Again Shell and was created way back in 1989 to replace the Bourne shell. It’s a default shell on Linux and OS X, so that means many or most non-Windows systems are vulnerable.
Red Hat and Fedora have already come out with patches for the bug. These are popular distros in the enterprise environment so they needed to get the fixes to their customers as quickly as possible, and it was a Red Hat security researcher who uncovered the vulnerability in the first place. Ubuntu, one of the most popular distros among home users of Linux, has also released a patch. US-CERT released a bulletin, however, saying that the fixes that were initially released were incomplete and could still allow for attacks. Apple had not, as of the morning of September 25, responded to media inquiries regarding the bug, but security researchers have reportedly run tests and confirmed that OS X Mavericks is vulnerable.
The Bash bug is being referred to as “Shellshock” and its effects on unpatched machines can be devastating. Attackers can use it to take complete control over a system by remotely executing malicious code. The vulnerability itself isn’t new but has apparently been lurking in Linux and OS X for years prior to being discovered.
Reports have come in that an exploit is already in use “in the wild” against some web servers to make them zombies in a botnet, and some experts are fearful that it could be used to create a worm targeted at public web servers. Now that the news about the vulnerability has exploded all over the Internet, it won’t take long for more of the bad guys to create code to exploit it.
Linux aficionados like to brag that UNIX-based operating systems are inherently more secure than Windows and in the distant past, they did have some security advantages. Most of those advantages were based on the fact that in old versions of Windows, users often routinely had administrative privileges. With the advent of UAC in modern versions of Windows, and admin accounts that run with limited user privileges except when administrative tasks are performed, much of this advantage has disappeared.
To some extent, Linux has also enjoyed the benefits of “security through obscurity” (something, ironically, that its fans have accused proprietary software of depending on). Because the market share for the Linux OS on the desktop has been so small (still under 2 percent as of August 2014 according to NetMarketShare), attackers and malware authors haven’t focused on it because Windows – with over 85 percent of the market – makes a much more attractive target.
Even that hasn’t been working so well lately. A glance through our monthly Third Party Patch Roundup posts here shows that a typical Linux distro (Ubuntu is the one I report on because it’s one of the most popular) routinely needs more than thirty security patches per month to fix various vulnerabilities. Android, which is the most popular mobile OS in the world and is based on Linux code, is also known to be the favorite of malicious software distributors who exploit its many vulnerabilities.
The Bash bug has the potential to have a far-reaching impact because so many of the “Internet of Things” (IoT) devices use Linux-based software and web-enabled bash scripts, and they are less likely to be patched in a timely manner than traditional computers. Because the bug has existed in the bash shell for so long, many of the older devices that are still out there on the Internet are vulnerable, but probably won’t be updated because of their age. There are also many Linux and UNIX servers out there that are vulnerable to the exploit of this bug, as well as many home and some business routers and switches that run on Linux/UNIX software.
No matter what operating system you run, it’s essential to stay on top of the latest security news and install updates for critical flaws when they become available. This latest discovery reinforces the idea that security is and always will be an on-going process, not a destination.
Note: GFI LanGuard yesterday released update #763 with dedicated vulnerability checks to detect whether devices under management are vulnerable to this weakness. Click here for more info on how you can use GFI LanGuard to prevent this bug causing havoc on your network.