Is The Bash Bug Bigger Than Heartbleed
-
Upload
william-hendric -
Category
Education
-
view
29 -
download
0
Transcript of Is The Bash Bug Bigger Than Heartbleed
![Page 1: Is The Bash Bug Bigger Than Heartbleed](https://reader036.fdocuments.net/reader036/viewer/2022071813/55a4d2591a28abc4758b482d/html5/thumbnails/1.jpg)
Is The Bash Bug Bigger than Heartbleed?
![Page 2: Is The Bash Bug Bigger Than Heartbleed](https://reader036.fdocuments.net/reader036/viewer/2022071813/55a4d2591a28abc4758b482d/html5/thumbnails/2.jpg)
What is the Bash Bug?• Bash Bug is the newest security flaw, also known as Shellshock bug.
• It is the current big vulnerability that is threatening the tech industry.
• The bug could be a potential disaster for major digital firms, small-scale Internet hosts, and even Web-connected devices.
• The quarter-century-old security bug allows the executin of malicious code found in the bash shell to compromise an operating system and access sensitive data.
• The bug commonly accesses a system via the Command Prompt on personal computer or Terminal Application of Mac.
• Apple is yet to release a security patch for the same. However according to an Apple spokesperson, the firm is addressing the problem, and will soon be releasing a patch.
![Page 3: Is The Bash Bug Bigger Than Heartbleed](https://reader036.fdocuments.net/reader036/viewer/2022071813/55a4d2591a28abc4758b482d/html5/thumbnails/3.jpg)
Who Should be the Most Worried?• Web admins will be the most affected of the lot followed by consumers.
• Since Web-based services are for the consumers, a compromised server can send a malware to the consumer.
• In simple words, an infected website can upload a virus onto a user's system.
• Cyber criminals who attacked the server could install a malicious app on the Web server and use it to siphon sensitive data from those visiting the site.
• For example, hackers could install a malware on an e-commerce website and steal the credit/debit card information.
• Unfortunately for shoppers, there is no way to identify the affected websites.
![Page 4: Is The Bash Bug Bigger Than Heartbleed](https://reader036.fdocuments.net/reader036/viewer/2022071813/55a4d2591a28abc4758b482d/html5/thumbnails/4.jpg)
What do Security Experts Say?• According to the North Carolina-based software firm Red Hat, programs running
Bash shell in the background is a common activity.
• The flaw is triggered when an extra code is added within the Bash code lines.
• Owner of Errata Security Robert Graham warned that the Bash flaw is much bigger than Heartbleed bug.
• Owing to its unexpected ways of interaction with other software apps and the enormous software percentage interacting with the shell, the bash bug is bigger flaw of recent times.
• Further it is difficult to catalog all the software vulnerable to the Bash flaw, added Graham.
• The problem is with unknown systems that remain unpatched, while known systems (for example, Web server) are patched.
• In fact six months after the Heartbleed attack, thousands of system still remain vulnerable to security flaws.
![Page 5: Is The Bash Bug Bigger Than Heartbleed](https://reader036.fdocuments.net/reader036/viewer/2022071813/55a4d2591a28abc4758b482d/html5/thumbnails/5.jpg)
• Technology and news information site Ars Technica reported that the bug could impact Linux and Unix devices , and hardware-runnung Mac OS X.
• The report also stated that Mac OS X Mavericks is a vulnerable version of Bash flaw.
• The Bash bug could be a potential threat to connected Internet-of-things (IoT) devices. Examples include heart monitoring implants, smart thermostat systems, and automobiles with built-in sensors to name a few.
• Since the software of these IoT devices are built using Bash scripts that are less likely to be patched, expose the flaw to the outside world, warned Graham.
• The fact is the bug has been around for a very long time that could mean many older devices will be vulnerable.
• Compared to the Heartbleed, the number of systems that need patching are larger.
• In April 2014, the Heartbleed flaw was deployed into OpenSSL more than couple of years ago.
• The major security bug allowed hackers to retrieve random bits of memory from affected servers. The flaw was called 'catastrophic' by U.S.-based cyptographer Bruce Schneier.
![Page 6: Is The Bash Bug Bigger Than Heartbleed](https://reader036.fdocuments.net/reader036/viewer/2022071813/55a4d2591a28abc4758b482d/html5/thumbnails/6.jpg)
Why Patch the Shell?• Rapid7's engineering manager Tod Beardsley warned though the flaw is of low
complexity, the wide range of devices impacted need that system admins apply patches immediately.
• The flaw is indeed a very big deal, considering that it scored 10 for severity (maximum impact) and low for exploitation complexity (very easy for hackers to use it).
• The impacted software Bash is widely used so that hackers can make use of this flaw to remotely carry out a host of servers and devices.
• Using this bug, hackers can take control over an operating system, gain access to senstive information, and modify or change.
• Businesses and individuals using systems with Bash need to patch them immediately.
![Page 7: Is The Bash Bug Bigger Than Heartbleed](https://reader036.fdocuments.net/reader036/viewer/2022071813/55a4d2591a28abc4758b482d/html5/thumbnails/7.jpg)
What Can be Done?• A through scan of the Internet was performed to test for the flaw by Robert
Graham.
• His findings revealed that the Bash bug is capable of easily passing through Firewalls and affect many systems.
• This could potentially spell doom for big networks. Both Graham and Beardsley agreed that the issue needed immediate attention.
• Scanning the network for FTP, older versions of Apache server, and Telnet is one way to avoid the bug.
• Any device that responds is more likely an old system requiring a Bash patch. Since, most of them cannot be patched, the tech industry is screwed big time.
• The issue is some firms either lack the resources to update their servers or worried their systems would be too fragile to handle the patch.
![Page 8: Is The Bash Bug Bigger Than Heartbleed](https://reader036.fdocuments.net/reader036/viewer/2022071813/55a4d2591a28abc4758b482d/html5/thumbnails/8.jpg)
For more information about Heartbleed. Click https://blog.whichssl.com/2014/07/overcome-heartbleed-vulnerability-ssl/