News Linux, OS X hit by Shellshock Bash vulnerability

Remote code execution a concern.
http://www.bit-tech.net/news/bits/2014/09/25/shellshock/1

 

I reckon this one's going to get a bit nasty. Sure, Apple, Canonical, Red Hat et al can roll out patches, but Bash is a frequent sight in embedded devices - the majority of which never receive firmware updates, even if their manufacturer bothers to release any. Can you say "botnet waiting to happen?"

 

There was no plan: it's a daft error in an obscure feature which nobody noticed for a couple of decades. Amusingly, somebody who worked on Research Unix back in the day claims that it's a variant of an error they discovered in their sh(1) implementation - the pre-pre-pre-cursor to Bash - thirty years ago. Code is complex, and frequently full of mistakes; you just hope that the good guys find 'em before the bad guys do.

 

Because, as any fule know, proprietary software never suffers from security vulnerabilities.

 

I'm impressed: that's significantly less frothing than your usual Linux-related posts. Sadly, it's also inaccurate: Linux has enjoyed a considerably wider distribution in every single market bar the desktop and laptop sector for years. It's long been the dominant force in servers, industrial, embedded and high-performance computing - and before that, its predecessors like Unix ruled the roost. We're not "starting to see Linux deployed more widely" - it's long been deployed widely. We're perhaps starting to see it make (slightly) more impact on the desktop, but not massively - it's still a tiny, tiny bit-player in the desktop and laptop market. Interestingly enough, said desktop and laptop market is pretty much immune to this 'ere bug: it's only exploitable on servers with some fairly specific configurations. There's no way to exploit it on a desktop, unless said desktop is running a webserver with specific CGI configuration - in which case it ain't a desktop any more.

Better still, Bash isn't Linux. See that headline: Bash is the default shell in the BSD-based (and, I'd like to point out, proprietary) Apple OS X, too. Likewise, there are Linux distributions that don't use Bash. In fact, anyone using Debian or Ubuntu is pretty much immune to this bug: although Bash is used for login shells (meaning Shellshock can still be exploited to, for example, break out of a forced-application SSH environment providing you have valid authentication credentials for the server), all non-interactive stuff goes through /bin/sh which is symlinked to Dash - a different shell which is not vulnerable to Shellshock. Even oddly-configured CGI scripts hold no fear for Dash!

'Course, you had to spoil an otherwise fairly reasonable post with this:

I really, really wish I knew why you hated Linux and the open source movement so much. I mean, properly hate - not just ignore, or avoid, but actively seek out any opportunity to have a dig. Even when it comes to making rubbish up to post in the software/hardware/tech-support sub-forums about your "Linux laptop." Which reminds me: you never did follow up that one where you accused Linux of doing something Microsoft products have done since the year dot, did you?

 

BusyBox - some, but far from all.

 

There are far more systems in the world running Linux or a variant thereof than there are running Windows. That, I would say, is a 'wide deployment.'

Sounds to me like you need to hang out with better people. I've not encountered that sort of behaviour myself; I have, however, encountered a proprietary software fan doing everything he can to denigrate something he doesn't even bother to try to understand. In your post history, in fact.

As I frequently say in response to this very tired argument of yours: that's fine. If open source software can't do what you need, then you'll have to use other software. This is normal, and right. Personally, open source software does exactly what I need: I exist as the sole breadwinner for a two-adult, one-child, one-cat household using nothing but open-source packages from the operating system down to the image editor. I've even produced a best-selling book, now in its third edition, using open-source software exclusively.

My point here is this: just because open source doesn't work for you, doesn't mean it cannot work for anyone.

There's only one person thumping a tub here, Phil, and it's you. As usual.

This thread here, in which you expressed incredulity that 'Linux' uses lockfiles to protect open documents - until it was pointed out that it's the document editor, not the operating system, that's doing that, and that Microsoft Word running on Windows does exactly the same thing. You went very quiet after that.

 

Funny, I was just thinking the same thing about you. You're strong on rhetoric, Phil, but weak on evidence. You're also everything you claim to hate, as I will demonstrate below.

Because, believe it or not, it's the best way to handle things. Imagine a network. Imagine a file server. Imagine a bunch of Word (or LibreOffice, whatever) files on said file server. Imagine User A opens and edits said file. Imagine User B opens and edits said file. Imagine both try to save. Whoops: collision. "But," you may ask in your naïveté, "why can't the file just be marked read-only in the file system?" To which I answer: what file system? The clients have no way of knowing what file system the network server is running, or what attributes it supports in terms of permissions and meta-data. The only way you can be sure that you've marked the file as read-only is by creating a lock-file - which is exactly what office suites, Microsoft Word et al, have been doing for years. They're also used to store changes without modifying the original file (which is how Word's AutoRecovery feature works), and to speed up various functions. Here's Microsoft's explanation on the matter.

Now, that perfectly demonstrates "[the] sense of smug superiority, the arrogance, the presumptiveness, the unsubtle looking-down on the competition" which you apparently find so obnoxious in others. Pot, Kettle, you know the rest. If you can't see how your attitude is the perfect demonstration of everything you claim to hate - and have accused the apparently homogeneous open-source community of having - then there's really no helping you.