These recent months have shown how the open source software model could handle (or is still handling) bugs that could be turned into an exploit of Linux servers. These are;
Shellshock (Sept 2014) - remotely take over a server.
BBC http://www.bbc.com/news/technology-29361794
Heartbleed (April 2014) - OpenSSL data could be intercepted.
BBC http://www.bbc.com/news/technology-28867113
The sheer number of Linux servers affected means that it is a serious threat and is wide spread. In Heartbleed, its patched but Shellshock is yet to have a patch to fully resolve the bug.
Interesting technical discussion on Shellshock is found at stackexchange.
https://unix.stackexchange.com/questions/157329/what-does-env-x-command-bash-do-and-why-is-it-insecure
How do you know if your shell is vulnerable? Hackernews recommends to run the following command in all the shell being used;
env X="() { :;} ; echo shellshock" /bin/sh -c "echo completed"
env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"
If you see the text output "shellshock", please find a patch.
Chris, a contributor at Buzzfeed News, provided a good material on how 2 persons maintained the OpenSSL package, Steve Marquess and Stephen Henson. The commercial entity for this is known as OpenSSL Software Foundation.
Now doesn't it make you wonder who is responsible of bash shell and is it the same package for every Linux distro?
Looking at alternative computer software solutions for a variety of reasons. This includes price, computer security, virus prevention and reliability. Here are my notes and great that if it helps you, otherwise please understand what you are doing and not follow blindly. All works expressed are my own and does not necessarily express the products or organisations mentioned here.
No comments:
Post a Comment