Very compromising bug found in Bash utility, update: it seems to be worst that what it initially was

[AlexGoesHigh]

this one is bad gentlemen, to begin whit bash is...

GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems

which can be found in most GNU/linux OS's and unix systems, one of them being OS X, but what does the bug does,

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

in layman's terms it allows any kind of malicious scripts to be ran in the system and compromise everything in it, and due to its widespread use, this could affect as many servers/pc's that the heartbleed bug, there's no reason lose your shit, there's already a fix for it, which is already available for

Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution

CentOS (versions 5 through 7)

Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS

Debian

and i'm assuming very soon for other distributions as well OSX, you can also confirm if your system is affect by running this in a terminal

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerablethis is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attemptbash: error importing function definition for `x'this is a test

i'm not that much into linux but this does sound to be serious problem, which at least is already fixed, and not something threated as poorly as heartbleed, though i would run those prompts ASAP just to make sure

source: ars technica

update: it seems security experts are more concerned about this more that at first, mainly because the currently going patch just delays the attacks and not fixes the issue completely, you can read more at source since I'm on mobile atm, will format properly later when I can

source: http://www.theverge.com/2014/9/25/6843669/bash-shellshock-network-worm-could-cause-internet-meltdown

[PokémonTrainerFour]

but windows is still just a really shitty os, right?

[Builder]

but windows is still just a really shitty os, right?

Yes. The very fact that you think this has anything to do with an OS is hilarious. Windows has had awful exploits too.

 

@IdeaStormer

 

This is when all the people who've been on zsh for years start giggling.

[UselessBread]

Well it seems the fix for debian was out stupid fast as I don't have the vulnerability, and last updated I think yesterday.

[AMICLG]

Except this is irrelevant for attackers when they can just do a FUD Java Drive-By.

[patrickjp93]

Yes. The very fact that you think this has anything to do with an OS is hilarious. Windows has had awful exploits too.

@IdeaStormer

This is when all the people who've been on zsh for years start giggling.

What can zsh get you that bash can't?

[Builder]

What can zsh get you that bash can't?

Not much, but at least I don't have to deal with this vulnerability on my Linux boxes. I prefer the zsh language to bash also.

 

My OS X installation, however. I'm hoping 10.9.5.0.1 is released tomorrow to cover this. I tested it and it's vulnerable. Shame, Apple, shame! To be honest there's obviously not much they could have done about it, but seeing as this is the week of finding as many reasons as possible to hate them, I'm mad.

[Syntaxvgm]

New sensationalized, "gizmodoed" headline:

New Linux exploit could cause huge problems and many tears. 

Don't bend over in the shower. 

[ionbasa]

Well, I used Dash (Debian Almquist shell), so I'm not affected .

[Opcode]

but windows is still just a really shitty os, right?

My Ubuntu 14.04.1 install in VMWare which was updated last night is vulnerable to this.

 

 

Just ran an update now and can confirm that it's fixed.

 

 

One of the big reasons why Linux is king of security over Windows, it gets updated nearly instantly once a serious issue arises.

[IdeaStormer]

What can zsh get you that bash can't?

 

Well for starters...

 

1. Run every shell script known to man, well maybe not Zoidbert Shell :lol:  (Yes it exists) and Windows shell environments. By all shells I mean, ksh, csh, tcsh, bash, might of missed one or two.

2. You can configure it up the yin yang, so much that it will take you a good day to get it all configured just right, and by just right I mean to your very custom settings. Time well worth its weight in command shells.

3. If you think tab completion in bash is cool, well zsh has not only tab completion for file/programs but for program options B)  with man type explanations.

4. Its a modern shell, as in made for the future not the past.

 

Some References: http://www.zsh.org/

http://friedcpu.wordpress.com/2007/07/24/zsh-the-last-shell-youll-ever-need/

http://www.maclife.com/article/columns/terminal_101_better_shell_zsh

 

 

List of Command Shells: https://en.wikipedia.org/wiki/Comparison_of_command_shells

[PortentousLad]

Bash: - c: option requires an argument

[qwertywarrior]

good thing my router and phone uses busybox

[elkenrod]

Took me all of 10 seconds to patch this.

[patrickjp93]

Well for starters...

1. Run every shell script known to man, well maybe not Zoidbert Shell :lol: (Yes it exists) and Windows shell environments. By all shells I mean, ksh, csh, tcsh, bash, might of missed one or two.

2. You can configure it up the yin yang, so much that it will take you a good day to get it all configured just right, and by just right I mean to your very custom settings. Time well worth its weight in command shells.

3. If you think tab completion in bash is cool, well zsh has not only tab completion for file/programs but for program options B) with man type explanations.

4. Its a modern shell, as in made for the future not the past.

Some References: http://www.zsh.org/

http://friedcpu.wordpress.com/2007/07/24/zsh-the-last-shell-youll-ever-need/

http://www.maclife.com/article/columns/terminal_101_better_shell_zsh

List of Command Shells: https://en.wikipedia.org/wiki/Comparison_of_command_shells

This is why I'm never embarrassed to ask questions. It's more valuable to be humble and learn than stay stubbornly in your own box.

[vm'N]

Except this is irrelevant for attackers when they can just do a FUD Java Drive-By.

It requires it is FUD.

Requires java.

Require you to run it.

Mostlikely are not compatible with linux.

sJDB have been fixed too, so it really is not that commonly used anymore.

[LAwLz]

There is a patch out for Arch as well.

Don't think there is a patch for Cygwin.

 

Hopefully people will update their stuff quickly.

[AlexGoesHigh]

New sensationalized, "gizmodoed" headline:

New Linux exploit could cause huge problems and many tears. 

Don't bend over in the shower. 

honestly blame the red hat guys even on their blog they made this sound like the end of the world... not in the title, but most publication would lose their shit whit what they where talking

https://securityblog.redhat.com/

[DigitalHermit]

@AlexGoesHigh

 

Thanks a lot for putting this here and detailing the vulnerability test... I would've ended up with a vulnerable laptop...

 

I'll notify my team about this too...

[Joshyy]

For people running Ubuntu it's as simple as running

 

Sudo apt-get update

 

And then

 

Sudo apt-get upgrade.

 

All fixed, have fun!

[IdeaStormer]

This is why I'm never embarrassed to ask questions. It's more valuable to be humble and learn than stay stubbornly in your own box.

 

No! Ask questions, sure you stick your foot in your mouth but look now you have more info, we all learn it never stops.

[AlexGoesHigh]

Update op whit new info and source

[IdeaStormer]

update: it seems security experts are more concerned about this more that at first, mainly because the currently going patch just delays the attacks and not fixes the issue completely, you can read more at source since I'm on mobile atm, will format properly later when I can

source: http://www.theverge.com/2014/9/25/6843669/bash-shellshock-network-worm-could-cause-internet-meltdown

 

Switching to a different shell isn't a viable solution? :huh:

[yttrium]

Lookie there.

 

[Victorious Secret]

New sensationalized, "gizmodoed" headline:

New Linux exploit could cause huge problems and many tears. 

Don't bend over in the shower. 

 

This section should have a "Sensationalist Writer of the Year" award. 

 

We have so many people who could actually work at Gizmodo based off sensationalism alone.