quinta-feira, 25 de setembro de 2014

'Bash' Command Flaw Leaves Linux, OS X and More Open to Attack

Apparently, the Internet has More Deep-Seated Security Bugs to Worry about than Heartbleed. Researchers Have Discovered a Longstanding Flaw in a Common Unix Command Shell (Bash) for Linux and Macs that Lets Attackers Run Any Code they Want as Soon as the Shell Starts Running. They Can Effectively Get Control of any Networked Device that Runs Bash, Even if there are Limits on the Commands Remote Users Can Try. That's a Big Problem When a Large Chunk of the Internet Relies on the Shell for Everyday Tasks -- Many Web Servers will Call on it When they're Running Scripts, for Example. There are already Patches for Multiple Linux Variants (CentOS, Debian, Redhat) and Big Internet Services like Akamai Have already Taken Action.


However, the Age and Sheer Ubiquity of the Exploit Means that, there are Some Older Servers and Other Internet-Connected Devices that Won't (and in Some Cases, Can't) be Fixed. In Other Words, there's a Chance that Everything from Poorly Maintained Websites to your Home Security Camera will Remain Vulnerable. Some Devices will be Protected, however, as Security Researcher, Paul McMillan Notes that, Many Embedded Devices "Use BusyBox, which is Not Vulnerable". It's Unlikely that Hackers will Breach Many of the Major Websites you Visit, Thanks to their Quick Responses to the Flaw and Many of your Existing Gadgets are probably Safe. Having Said this, it's Hard to Know Exactly How Far Reaching the Damage May be -- it Could Take Years before there's No Longer a Significant Threat.




Info Sources:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack

https://lists.debian.org/debian-security-announce/2014/msg00220.html

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCM_-StdWid

http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021

http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924



0 comentários:

Enviar um comentário