Pages

Shellshocked?

StackExchange: Unix/Linux
The question...

Should bash shells be replaced with the new patched version?
US-CERT recommends users and administrators review TA14-268A, Vulnerability Note VU#252743 and the Redhat Security Blog (link is external) for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch.
A fact...

A timeline...
Ramifications...
  • The Bash shellshock "vulnerability" has been a "feature" of Bash for 22 years. You'd think in all that time, in all those high-security environments that run Unix or Linux, someone would have worried about misuse.
  • Now, every installation of Bash in the world is about to be replaced.
  • Though Bash is open-source, few people actually take the time to study the code of such large and complex programs.
  • Bash is written in C, which supports embedded assembly-language code. Code that even fewer programmers have the skills to read.
  • Bash is written in C, which easily supports treating any block of binary, such as something labeled as data or a small image, as code.
  • Thus, a skilled programmer could hide "backdoor" code in plain sight, and it probably wouldn't be discovered unless it caused an error of some kind.
  • Extremely high-skilled programmers that break the law are often employed by federal agencies.