Security consultant Jonathan Hall discovered that Yahoo, Lycos and WinZip servers had been breached over the weekend. According to Hall, the attack originated in Romania and was made possible from a bug in the Bash shell program.
Bash is a command-line program that allows users to enter operating system commands from a prompt in the same way that Command Prompt does for Windows users. In addition to the command line support, Bash also has a scripting language that allows a user to write simple scripts.
Hall explains that Bash becomes vulnerable because it does not enforce one of its own syntax rules on scripting tightly enough. Normally, script is entered between two brace characters then terminated with a semicolon. Any code after that semicolon is supposed to be ignored, but Bash doesn’t ignore it. As a result, it’s possible for hackers to add additional code and take over a server.
This is otherwise known as the Shellshock vulnerability. Its roots can be traced to 1992 after the original author of Bash, Brian Fox, gave the software to Chet Ramey to maintain. In a New York Times interview, Ramey thinks that an update he added to Bash 22 years ago may be the origin of Shellshock.
Bash is open source and Ramey’s maintenance on it amounts to volunteer work. As such, there is no formal bug reporting and fixing cycle that he went through to make patches to Bash on a regular basis. It wasn’t until Ramey heard from Stephane Chazelas in mid-September that he knew of the Shellshock flaw. A patch was issued shortly thereafter, but news of it leaked to hackers and Shellshock attacks began in late September.
Yahoo chief information security officer Alex Stamos posted on the Hacker News site that the attack on Yahoo was not actually Shellshock, but a different attack affecting a script that processed web logs. That may be a relief to Yahoo in the short term, but it doesn’t solve the problem that left them and other companies vulnerable to Shellshock.
Open source software has a lot of great benefits, especially to companies and organizations that need to develop software, but don’t want to write everything from scratch.
One drawback is that this software is not always maintained and tested as it should be. Many companies use Bash, but it is far from being a commercial grade utility. Companies that rely on open source solutions are going to have to do a better job of making sure that the software they use is tested. You don’t have to throw away Bash, but if it could be improved, tested and upgraded more regularly, those who depend on it would be less vulnerable to security breaches.
Edited by Maurice Nagle
View all articles