Should bash shells be replaced with the new patched version?
US-CERT recommends users and administrators review TA14-268A, Vulnerability Note VU#252743 and the Redhat Security Blog (link is external) for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch.
A fact...
A timeline...
- Oct 2012 - "Apple is added to the NSA’s list of penetrated servers"
- Dec 2013 - Apple Says It Has Never Worked With NSA...
- Sep 19, 2014 - Likely that NSA has now demanded Apple's data and they are resisting
- Sep 24, 2014 - US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X
Ramifications...
- The Bash shellshock "vulnerability" has been a "feature" of Bash for 22 years. You'd think in all that time, in all those high-security environments that run Unix or Linux, someone would have worried about misuse.
- Now, every installation of Bash in the world is about to be replaced.
- Though Bash is open-source, few people actually take the time to study the code of such large and complex programs.
- Bash is written in C, which supports embedded assembly-language code. Code that even fewer programmers have the skills to read.
- Bash is written in C, which easily supports treating any block of binary, such as something labeled as data or a small image, as code.
- Thus, a skilled programmer could hide "backdoor" code in plain sight, and it probably wouldn't be discovered unless it caused an error of some kind.
- Extremely high-skilled programmers that break the law are often employed by federal agencies.
No comments :
Post a Comment