Shellshock: No, it IS a bash bug

Posted by Jim Jagielski on Monday, September 29. 2014 in Open Source

Reading over http://paste.lisp.org/display/143864, I am surprised just how wrong the entire post is.

The gist of the post is that the Shellshock bug is not bash's fault, but rather, in this argument, the fault of Apache and other facing programs in not "sanitizing" the environment before it gets into bash's hands.

Sweet Sassy Molassy! What kind of horse-sh*t is that?

As "proof" of this argument, pjb uses the tired old excuse: "It's not a bug, it's a feature", noting that bash's execution of commands "hidden" in environment variables is documented; But then we get the best line of all:

The implementation detail of using an environment variable whose value starts with "() {" and which may contain further commands after the function definition is not documented, but could still be considered a feature 

As far as outlandish statements, this one takes the cake. Somehow, Apache and other programs should sanitize magical, undocumented features and their failure to do so is the problem, not that this magic is undocumented as well as fraught with issues in and of itself.

Let's recall that if any other Bourne-type shell, or, in fact, any real POSIX-compliant shell (which bash claims to be), were being used in the exact situation that bash was being used, there would be no vulnerability. None. Nada. Zero. Replace with ksh, zsh, dash, ... and you'd be perfectly fine. No vulnerability and CGI would work just fine. And also let's recall, again focusing on Apache (and all web servers, in fact; It's not just Apache is affected by this vulnerability but any web server, such as nginx, etc...), the CGI specification specifically makes it clear that environment variables are exactly where the parameters of the client's request lives.

Also, let's consider this: A shell is where the unwashed public interfaces with the OS. If there is ANY place where you don't want undocumented magic, especially in executing random code in an undocumented fashion, it AIN'T the shell. And finally, the default shell is also run by the start-up scripts themselves, again meaning that you want that shell to have as few undocumented bugs... *cough* *cough*, sorry "features" as possible, and certainly not one's that could possible run things behind your back.

Yes, this bug, this vulnerability is certainly bash's, no doubt at all. But it also goes without saying that if bash was not the default shell (/bin/sh) on Linux and OSX, that this would have been a weaker vulnerability. Maybe that was, and is, the main takeaway here. Maybe it is time for the default shell on Linux to "return" to the old Bourne shell or, at least, dash.

More...

Shellshock

Posted by Jim Jagielski on Friday, September 26. 2014 in Programming

UPDATED: Sept 29, 2014 with current OSX Bash patch

First of all, when this was first found, we were looking for a cool name... It was found.

Anyway, as noted here [https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/]  the shellshock vulnerability is pretty nasty. What's interesting is that, in general, the *BSD variants aren't as vulnerable as *NIX platforms, simply because the default shell on BSD is still the Bourne shell (the "real" sh) and not Bash itself (On Linux and OSX, for example, /bin/sh is either a copy or link to /bin/bash).

Even so, BSD systems are not immune by any stretch of the imagination, since one attack vector is via web-servers and CGI, and it's likely that there are numerous CGI scripts that require/use Bash. So no matter what, patch your systems.

Continue reading "Shellshock"

More...

iOS 8

Posted by Jim Jagielski on Monday, September 22. 2014 in Technology

With all the buzz around iOS 8, I decided to take the plunge. I went ahead and upgraded an iPad2, iPad Mini and iPad Retina. I didn't upgrade any iPhones.

Why?

I'm not crazy! I need my iPhone to work! 

Anyway, so after several days of using iOS 8 on these devices, I can come up with a singular conclusion: It Is Dog Slow.

I mean really, frustratingly slow. Like I could use a stop-watch to time how long it takes apps to open (even those specifically upgraded for "iOS 8 compatibility" or to get back to the home screen when the Home button is pressed. Once in the apps, things are better, but no app at all feels peppier under iOS 8, except for maybe Safari.

Plus, a lot of apps, like Scribd, don't even open up and just die. 

Continue reading "iOS 8"

More...

Dad

Posted by Jim Jagielski on Tuesday, September 16. 2014 in Personal

Today marks the 3rd anniversary of my Dad's death. People say you'll never understand how it feels until you go through it, and they are correct. I never truly understood the emptiness that remains.

My most vivid memory of that time is standing there, at my Dad's side in the hospital, as he was breathing his last breaths.; watching the EKG go from a slow but steady beat, to a weak and chaotic wave and then, like a bad soap opera or medical show, to a simple flat line. And he was gone.

I looked at my Dad and all he really *was*, was gone. All that remained was the shell that carried the *real* Joe Jagielski. He was here, but he really wasn't. I looked at Dad and he was, but he wasn't, my Dad.

We all are aware of our mortality, but it never feels real to us. But when someone close to you dies, especially when you are right there when it happens, it brings it home like a bombshell. I can truly say that, for better or worse, my awareness of death and mortality is never that much below the surface. We all die, and before that happens, we should spend our lives with as much joy and fulfillment as possible.

This realization has somehow made me more, and yet also, less patient. I try not to let little things bother me, and try to see the good in people. I'm more sensitive to people, or, at least, I try to be. Yet, on the other hand, I find that I have little to no patience with two-faced or selfish people who are only there for you if it's "convenient"; Life is too short, and I don't have the time to waste. None of us do.

Dad, I miss you, and I always will. I love you.

More...

Page 1 of 1, totaling 4 entries

Quicksearch

Search for an entry in IMO:

Did not find what you were looking for? Post a comment for an entry or contact us via email!