The vulnerability in Bash that attackers have a system to take over, probably already since 1992. That says the developer who is responsible for the shell. All the time is the bug known to go unnoticed.
Chet Ramey, a volunteer who is responsible for the Bash, says across The street from The New York Times that he was the bug likely to be in 1992 has accidentally introduced. Ramey cautions that he is not sure, because he at that time still no detailed logs are kept. Until september 12, continued the bug in any case for Ramey himself unnoticed when he was tipped off about the existence of the vulnerability.
The bug is easy to abuse but offers far-reaching access to a system: an attacker can execute code on a system. It is not possible to rule out that the vulnerability in the past 22 years has been previously noted by researchers who have chosen to make the leak under the cap to keep and, for example, to sell. Companies like the French Vupen specialize in finding and selling of so-called zero day vulnerabilities.
Meanwhile the bug largely crushed, though it appears in certain cases it is still possible to use your own code to run. A system can also only be protected if there is a patch available. The problem is that users of devices like routers, nas-systems and even wireless webcams with a built-in web server, often less patching than a desktop operating system, and therefore for many years vulnerable.
According to beveiligingsonderzoeker Robert Graham is the underlying code of Bash is seriously out of date. The Bash bug also called Shellshock is called, is according to him not more than a warning that more bugs will follow. “The cause is not a programmer who has made an error, but a systematic failure in the code,” writes Graham, who objects that there are already three similar bugs are found. “The code is outdated and written to the standards of 1984, instead of 2014.”
The vulnerability can be exploited by a number of characters, followed by code, add it to an environment variable. Once then a bash session is opened, it appears that code to be executed. Any application that relies on the Bash shell, is potentially vulnerable. These include web servers, that to the garden can be led with http-requests. Also, dhcp clients potentially vulnerable: a dhcp server would be your own code on a pc can run. That is, for example, a problem on public wi-fi hotspots.
Comments
(282)