I don’t really think I understand the new bash bug, cutely named as “shellshock”. I’ll just use this post as a dumping ground for links I have quickly collected. But some explanation first.
Bash is a shell, or command line interpreter, used by various Unix-derived or (in case of Linux) clone operating systems. It is included not only in various GNU/Linux distributions, such as Red Hat, Ubuntu or Debian, but also in a more mainstream operating system: Mac OS X. There is a bug in Bash that enable attackers to execute commands remotely, and potentially enable them to do naughty things.
As far as I know, usual PC systems are largely not affected. Most PCs use Windows, which doesn’t use Bash, thus not vulnerable to this bug. Even personal machines that use Linux or Mac OS X usually doesn’t enable remote service that can be used by attackers to exploit this bug.
The systems affected will be mainly servers. Although Windows rules personal computers, a very large portion of servers run Linux or some version of Unix. Most web servers, in fact, runs on Unixes (with Apache or Ngix). So even though your own system may not be vulnerable, Internet as whole has a great problem.
On to the links. I may add new ones.
- Initial report from Akamai
- An overview of the bug from Troy Hunt (via Hacker News)
- Fedora Magazine explains how the vulnerability works
- Apple says most Mac OS X users won’t be affected, but you should update anyway when a patch is released.
- The initial patch doesn’t really eradicate the problem. And there may be more bugs lurking.
- The bug is quickly exploited
- Oracle products (other than obvious one like Solaris and Oracle Linux) are affected as well.
- Good explanation about several techniques that can be used to exploit this vulnerability.