Patches are available to fix the bash vulnerability known as Shellshock, along with three additional security issues recently found in the bash shell. The patches are available for all major Linux distros as well as for Solaris, with the patches being distributed through the various distros.
After the patch is applied, there are a couple of commands that can be run from a terminal to ascertain that a system is no longer vulnerable. For details, see the article Steven J. Vaughan-Nichols has written for ZDNet. As yet, there is no patch available for OS X, although Apple says that one is on the way, while assuring its users that Mac systems aren’t vulnerable except for the most advanced users.
The good news about all this is that it demonstrates how quickly the Linux community can get the word out and then rally to engineer a solution when a security problem is discovered. The bad news is that not all Linux users listen. Too many users believe that the security features that are baked into Linux offer complete protection, no matter what. Unfortunately, that’s not the case. It never was, nor can it ever be.
My friend Andrew Wyatt, who spent time some years back as the founder and lead developer of the Fuduntu Linux distro, attempted to address this fact recently in a comment to an article on FOSS Force:
“…as FOSS gains marketshare you’ll see more viruses become prevalent, just as it is being seen with Android today. The reason you don’t really see this in server ‘space’ is due to the people managing systems in that space being very technically savvy and understand[ing] enough about securing these systems to protect them well enough, that and the majority of infrastructure not actually being out on the edge helps too.
“In the last two years FOSS has had a lot of black eyes via both locally and remotely exploitable vulnerabilities. FOSS isn’t targeted often because it isn’t a target of sufficient value, yet.”
Wyatt makes a good point. GNU/Linux may be safer security-wise than other operating systems, but that doesn’t make it invulnerable. Linux users still must practice good security hygiene and must make certain that their systems are kept patched and up-to-date. Unfortunately, too many Linux users have taken “safer” to mean that they don’t need to worry about silly little things like malware.
In fact, another commenter posted this sentiment as a reply.
Viruses need root access to propagate, she said, which is impossible in GNU/Linux. In addition, all of the software is downloaded from the distro’s repository and is carefully vetted, meaning that the malware problems that plague Android are nonexistent in the Linux desktop model; don’t click on links or open attachments in email and all will be fine.
All true enough, Wyatt replied, except…
…no data of value is ever stored under a root account. Not only that, but the apps that tend to host that critical data also don’t normally run in the context of root. The only things of more than trivial value that you gain by reaching ring 0 (what you call root) is the ability to turn off the firewall and start listeners on ports under 1024, or to destroy a system if you desire.
Further, there have been a few vulnerabilities over the last year that allowed one to gain ring 0 access including one vulnerability that allowed anyone with a local account (gained by data captured by heartbleed perhaps?) to bypass selinux entirely…
Indeed, the Shellshock vulnerability opened the door to possible root access, if my understanding is correct.
Although several commenters agreed with Wyatt’s assessment of Linux security, several others were adamant in their belief that Linux was safe from all but socially engineered attacks. One commenter even went so far as to accuse Wyatt of being a shill for Microsoft:
“Looks like we’ve got an MCSE by the name of Andrew here, folks. Either that, or he’s an employee of Microsoft, Apple, Adobe, or some other proprietary software company. Those sorts of companies do employ people to troll on FOSS-oriented sites, unfortunately.”
Obviously, she didn’t know…
Linux might very well be the safest operating system available, but keeping it so requires constant vigilance by security pros, GNU/Linux maintainers, and just as importantly, its users.
Practice safe computing.