The bug affects Bash, a program that you may not know, but it allows the user to access the features of the operating system.
As often in such cases, it oscillates between alarmism and jaded reaction. For the specialized site Cnet for example, there’s no doubt the new fault that has been identified, entitled “Shellshock” is ‘biggest qu’Heartbleed “. When other observers are far more reserved.
“It is very difficult to assess the extent , confirms the network specialist Stéphane Bortzmeyer by phone. What is certain is that there is a flaw. “
Made public this September 24th by a French engineer, Stéphane Chazelas, this vulnerability is not new: it exists in reality since … twenty-two years! And affects a program called Bash, designed and installed “at a time when the concept of Internet servers was very remote” remembers Stéphane Bortzmeyer.
1. What is Bash? And why it is called “bug Shellshock” Enter the Matrix
Bash is the “my stuff in which complicated commands you see in movies with hackers on tape,” explains on Twitter Heat Miser, a specialist in computer security. “THE thing, adds LS01 , which makes you look like an / a geek in the eyes of your parents and your / your little (e) friend (s).”
But it does not serve “that show off how Matrix ” says Stéphane Bortzmeyer. This is called a “shell ” software that allows the user to access features of the operating system. In particular it is the default shell for Unix, on which Linux is based but without the non-specialists really know, Apple’s OS. The brand products are vulnerable. Not to mention that Apple still has not proposed update to correct this vulnerability, noted in passing Stéphane Bortzmeyer.
As a shell, Bash therefore expose many applications that rely on it for perform certain tasks. As noted by a security consultancy Red Hat, which publishes open source software, quoted by ArsTechnica:
“This problem is particularly dangerous because there are several ways in which Bash may be requested by an application.”
For example, Stéphane Bortzmeyer complete, it can be called indirectly when one is on a web site. Without the user’s knowledge. Or, worse, the same developer of the site.
2. Ok, that makes what this bug? Take orders
A priori, this vulnerability Bash lets you edit content “running malicious code” , in the words of Cnet. But again, difficult to assess the possibilities in detail. A priori, have access to Bash machine as a server gives all rights: access data, start and stop things …
One possibility that seems endless, especially compared to the bug Heartbleed, which compares the specialized press “Shellshock”. As a reminder, this bug allowed “to access some of the information stored on many servers services on the Internet” , to quote the article on Slate wrote at the time. But fishing remained circumscribed:
“[...] the exploitation of this bug allows not to siphon all the memory of servers in a site, but only” a bit “(only 64KB, the equivalent of a small text file, image …) [...]. In addition, the individual benefit of the fault can not a priori control what goes fishing. “
Do not panic if: the real scope of “Shellshock”, to be appreciated, must be seen in context. So, how many machines are involved? And above all, how many developers know that their machines are concerned? In determining this, then we can say, as noted by ArsTechnica, if “vulnerability could be of the same magnitude as the bug Heartbleed, it might not be as dangerous.”
It remains to be determined. And there is a lot more complicated.
3. Who is involved? I heard that there was also connected objects? It depends on the size
According to Cnet, the bug could affect “major companies in the digital, web hosts midsize and even Internet-connected devices.”
Rest assured, however if you are a fan of the band or toothbrush connected, they should not be affected by Stéphane Bortzmeyer:
“A priori, connected objects may be involved. But in fact, their resources are probably too small to install Bash, too heavy. “
These objects lean against therefore certainly similar software which has the advantage of being lighter and also, therefore, not exposed to this fault.
Regarding other equipment exposed, again, unclear. At Slate, developers argue that the method, which is to lean against a site or application to Bash, is dated.
“It’s true, admits Stéphane Bortzmeyer but sometimes developers can make a function call without realizing that it appeals to the shell. ”
Similarly, the engineer insists that the websites, being reworked many times, have a history. A relic using Bash, and thus exposing this fault may still exist
And that’s the real problem. Whether people could fix this flaw to ignore its presence, how to ensure that the sites and exposed devices will receive the necessary updates? Like the bug Heartbleed, concerning a number of impressive websites, larger (Google, Yahoo …) to smaller, the difficulty here to ignorance of the subject, which prevents to settle the problem.
As usual in this area, it will be to measure the impact of this vulnerability. Some are, however, already hitched to scan the web for identifying, indicates Stéphane Bortzmeyer:
“I’ve seen on my server that people were trying to see if it is exposed [to this vulnerability] to exploit it.”
No comments:
Post a Comment