Shell Shock


Mario Kart shell

At risk of repeating old news which has distributed itself across the internet quick-smart (as it should, since that’s the point), y’all have probably heard about the critical bug that was uncovered this morning. Have a snippet of a release going out to people who probably don’t know what ‘Unix’ is anyway:

A new security vulnerability was publicly announced yesterday morning, with widespread impact to a significant portion of the internet.

This new bug, which is being called "Shell Shock", enables hackers to exploit a vulnerability in the Unix operating system's shell, 'bash'; which is run on web servers, computers, phones and other internet-connected devices. This allows remote attackers to take control of devices, steal information and inject their own malicious code.

This bug affects Unix-based operating systems such as Linux and Mac OS X, so while Windows users are not directly at risk, they should consider exercising caution and increasing their firewall settings as information to and from webservers must still travel through non-Microsoft components which could be affected by this bug.

This is my job, right? Explain technical things to the non-technical? Anyway, I thought this external link to Troy Hunt’s website was a particularly good overview, with interesting points that those on Windows aren’t necessarily going to sleep safe and snug in their beds either with a bug like this running around, so to speak. I notice at the time of writing that patches are incomplete though, so best is to not use at all, right? If you have the opportunity.

Red Hat has become aware that the patches shipped for this issue are incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.

Also ‘Shell Shock’ makes me think Mario Kart, hence the above image.