Patches are available to fix the bash vulnerability known as Shellshock, along with three additional security issues recently found in the bash shell. The patches are available for all major Linux distros as well as for Solaris, with the patches being distributed through the various distros.
After the patch is applied, there are a couple of commands that can be run from a terminal to ascertain that a system is no longer vulnerable. For details, see the article Steven J. Vaughan-Nichols has written for ZDNet. As yet, there is no patch available for OS X, although Apple says that one is on the way, while assuring its users that Mac systems aren’t vulnerable except for the most advanced users.
The good news about all this is that it demonstrates how quickly the Linux community can get the word out and then rally to engineer a solution when a security problem is discovered. The bad news is that not all Linux users listen. Too many users believe that the security features that are baked into Linux offer complete protection, no matter what. Unfortunately, that’s not the case. It never was, nor can it ever be.
My friend Andrew Wyatt, who spent time some years back as the founder and lead developer of the Fuduntu Linux distro, attempted to address this fact recently in a comment to an article on FOSS Force:
“…as FOSS gains marketshare you’ll see more viruses become prevalent, just as it is being seen with Android today. The reason you don’t really see this in server ‘space’ is due to the people managing systems in that space being very technically savvy and understand[ing] enough about securing these systems to protect them well enough, that and the majority of infrastructure not actually being out on the edge helps too.
“In the last two years FOSS has had a lot of black eyes via both locally and remotely exploitable vulnerabilities. FOSS isn’t targeted often because it isn’t a target of sufficient value, yet.”
Wyatt makes a good point. GNU/Linux may be safer security-wise than other operating systems, but that doesn’t make it invulnerable. Linux users still must practice good security hygiene and must make certain that their systems are kept patched and up-to-date. Unfortunately, too many Linux users have taken “safer” to mean that they don’t need to worry about silly little things like malware.
In fact, another commenter posted this sentiment as a reply.
Viruses need root access to propagate, she said, which is impossible in GNU/Linux. In addition, all of the software is downloaded from the distro’s repository and is carefully vetted, meaning that the malware problems that plague Android are nonexistent in the Linux desktop model; don’t click on links or open attachments in email and all will be fine.
All true enough, Wyatt replied, except…
…no data of value is ever stored under a root account. Not only that, but the apps that tend to host that critical data also don’t normally run in the context of root. The only things of more than trivial value that you gain by reaching ring 0 (what you call root) is the ability to turn off the firewall and start listeners on ports under 1024, or to destroy a system if you desire.
Further, there have been a few vulnerabilities over the last year that allowed one to gain ring 0 access including one vulnerability that allowed anyone with a local account (gained by data captured by heartbleed perhaps?) to bypass selinux entirely…
Indeed, the Shellshock vulnerability opened the door to possible root access, if my understanding is correct.
Although several commenters agreed with Wyatt’s assessment of Linux security, several others were adamant in their belief that Linux was safe from all but socially engineered attacks. One commenter even went so far as to accuse Wyatt of being a shill for Microsoft:
“Looks like we’ve got an MCSE by the name of Andrew here, folks. Either that, or he’s an employee of Microsoft, Apple, Adobe, or some other proprietary software company. Those sorts of companies do employ people to troll on FOSS-oriented sites, unfortunately.”
Obviously, she didn’t know…
Linux might very well be the safest operating system available, but keeping it so requires constant vigilance by security pros, GNU/Linux maintainers, and just as importantly, its users.
Practice safe computing.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
It probable that I am the poster you are referring to, who discussed why the Android issues are a non issues on Linux systems. I stand by my comments, and reasoning, as to why Linux is safer than Android and Windows, and maybe even Macs. That’s not to say Linux is invulnerable, and I didn’t ever intend to imply that in my comments that Andrew picked up on.
However I think the bash issue does mean I may need to rethink that. Although at the moment I’m fairly sure that most desktop systems are not likely to be vulnerable to this.
I disagree completely that Linux-based systems are not worth attacking (yet). Linux systems quickly became the mission-critical server systems during the 1990s, as Windows was demonstrated to be the swiss-cheese of security nightmares. The Code-Red and Nimda worms of 2000 were the death knell, and LAMP became not merely the server of choice of the technically savvy, but of anyone who wanted something that wouldn’t have to be rebuilt once a week.
Linux based systems are simply harder to crack. Not impossible, of course not. No system is impossible to crack. The essence of computer security is to make cracking as inconvenient as possible, and to try to detect the crack before harm is done.
Have Linux-based systems benefited from a generally more technically-savvy user base? Yes. Yet even the least technically knowledgeable user has a far, far higher barrier between their actions and a successful system crack than on Windows, and that is the entire point.
Tracyanne: In the case of Shellshock, you mean vulnerable but not exposed. The system is vulnerable, but there is no exposure unless you have handed out access.
> “Although at the moment I’m fairly sure that most desktop systems are not likely to be vulnerable to this.”
Actually from what I gather, any unpatched machine with Bash would be vulnerable to rogue DHCP servers (on public wifi, or a compromised VPN server). This is because dhclient calls bash to set the machine’s IP and poisoned environment variables can be triggered that way.
When I hear this stuff about the “Year of the Linux Desktop”, I often think, do we really want that lower end of the eco-system, anyway?
The local idiot who posted a Facebook clip with him throwing wads of cash in the air he liberated from the bank down the street and inviting all his mates around for a wild celebration. Very surprised when the coppers crashed his party. Pedophiles that think their kiddy porn collection was really “deleted”. Dumb and dumbers who declare, “I’ve got nothing to hide from the NSA”.
Microsoft was made for clowns like these and we should be happy to let them stay there.
When we attract enough of the terminally stupid, with their hopelessly insecure practices, on-board, the crackers and malware venders, looking for easy pickings, will follow.
[quote]Linux might very well be the safest operating system available, but keeping it so requires constant vigilance by security pros, GNU/Linux maintainers, and just as importantly, its users.[/quote]
No it is not.
@Andrew: Yes, sorry bad choice of words.
quote:: Pedophiles that think their kiddy porn collection was really “deleted”. ::quote
Not Pedophiles, but this happened to a client of mine. They had Windows 7 and grew tired of the constant barrage of popup windows and other unfriendly software, so they asked me to install a Linux based OS, rather than clean out Windows yet again, I gave them Linux Mint.
In the process of backing up their Documents, Music, Photos and Videos. While going through the folders to make sure the right items were correctly catalogued (they had saved stuff everywhere), I came across a folder called Dads, in the Documents folder. It contained a set of pornographic videos. When I mentioned it to my female client, she, very red faced, said “I thought we had deleted that”.
While I don’t think ANY os is impervious….I have been using Linux long enough to know that I would feel safer running it on a desktop or server than either Windows or Mac. I personally believe that most if not all of the Linux using community (aside from those who have a son-daughter-husband-wife who administers their machine for them!)are tech-savvy enough to know how to protect their systems. I’ve rarely heard a Linux user…..not a noobie…but a USER get online asking about getting infected…or something akin to the viruses that plague Microsoft’s OS’es. I guess its all a matter of perspective and viewpoint. I for one will not be abandoning ship just because of an exploit, that when you think about it…is the first serious issue for Linux nor will it be the last….I’m certain that as Linux usage increases….that more & more people….businesses…and government institutions will hop on board to using it…
“I for one will not be abandoning ship just because of an exploit”
Jumping ship over a single issue would be like jumping off a cliff to avoid a bumblebee. Be assured the proprietary alternatives are worse.
@Mike – They aren’t any worse, but they aren’t any better either.
Andrew, that’s where we disagree completely.
They really are worse.
Not just from a technical standpoint, but also (and especially) from a privacy perspective
Sure, most people don’t seem to give a damn about privacy these days, but just because people don’t care about the junk food they eat, doesn’t mean it’s as good for them as actual healthy foods.
I remember a time not too far distant where Microsoft adding a communication channel for Windows to send data to Microsoft servers without user approval raised a loud backlash among users. These days Windows sends a practically constant encrypted data stream and no one so much as bats an eye…
Google, Microsoft, and Apple will happily sell out your privacy for advertising revenue, or to yield to government surveillance demands. Security’s raison d’être is to preserve privacy. Without privacy, what is anyone protecting?
We’ll probably agree to disagree here. Unless you’ve personally audited every single line of FOSS source code you have to make an assumption that nothing bad is going on in there. That’s a gargantuan effort and it has been proven multiple times over the last few years that people really aren’t reading and auditing everything all the time.
You mention Microsoft sending data to Microsoft, I can counter that with Canonical sending data to Canonical (Amazon).
You’re right, all three of those companies will sell out for a price, but what’s to say we don’t have people working in FOSS doing the same thing, only masking their actions in obscure code that nobody reads.
Nothing wrong with disagreeing. 😉
> “You mention Microsoft sending data to Microsoft, I can counter that with Canonical sending data to Canonical (Amazon).”
That doesn’t counter my argument at all, but rather reinforces it. It’s foolish to trust a company – any company – with your private information. Some may be worse than others, but in the end they are all in it for one thing: money. They will do almost anything to get it. They may behave ethically today, but tomorrow do something completely counter to that. I’m not saying they are evil per se, but fundamentally they are not people and do not behave like people. They should not be trusted like people.
With FOSS, the onus is on me if I choose to use a piece of software without understanding the code or without implicit trust in the author. If I don’t like what I see, then I can change it, remove the parts I don’t like, or use something different. Lacking skills, I could still choose to trust others who have looked. With proprietary software there is no such path to trust as everyone except the author lacks the basic information needed to make an informed choice.
To use your example, If I don’t like what Canonical does with Ubuntu, I can modify it until it is acceptable or rely on another developer who has done the changes for me and created another distro. With Windows, or Mac, you can do what exactly? Answer: Nothing. You are stuck with it unless you are prepared to switch platforms…which ultimately leads back to FOSS.
> “You’re right, all three of those companies will sell out for a price, but what’s to say we don’t have people working in FOSS doing the same thing, only masking their actions in obscure code that nobody reads.”
It is entirely possible someone masquerading in the FOSS world could sneak a deliberate security vulnerability through e.g. Debian’s maintainers (especially for complicated code like OpenSSL), but it is another matter entirely for them to try and insert malicious privacy-invading features like phoning home with personal information. Auditing every line personally is not necessary. Most popular packages out there do see regular perusal by a number of eyes, even if they aren’t looking at the level required to find buffer overflows or things like the current bash flaws. There are enough people opposed to such behavior that once discovered such a developer would be anathema for future FOSS development. I would be amazed to find such a piece of software among the packages in the repository of any distro that cares about freedom enough to distinguish between free and proprietary software, like Debian. Perhaps you could get a totally unheard of package accepted briefly, but I think it would get found out fairly quickly if it actually got used by anyone.
With proprietary code, you are entirely at the mercy of a corporate entity. You are relying on their uncompromising goodwill for your protection. Certainly you see the irony in that? Maybe they actually posess that goodwill today, but what about when their stock drops, or management changes, or any other a thousand other scenarios happen?
Result: FOSS is simply a better choice.
Andrew, that’s rather a false equivalence. It’s like saying “We know Ted Bundy killed a bunch of people. But for all I know you *might* have killed a bunch of people and just haven’t been caught yet. So you’re *just the same* as Ted Bundy.”