[GLLUG] Bash Bug
John Edwards
john at cornerstonelinux.co.uk
Thu Sep 25 16:45:14 UTC 2014
Hi
On Thu, Sep 25, 2014 at 05:15:50PM +0100, Matthew Copperwaite wrote:
<snip>
> Also there doesn't appear to be a synchronised release of updates such as
> with Heartbleed. So is this issue not as severe, or was it not disclosed
> properly?
I would tempted to say that the important is potentially worse as it
includes remote code execution, where as Heartbleed was information
leakage (although on a massive scale). But Heartbleed was exploitable
on clients as well as servers and so effected a much wider range of
systems, especially which were not directly accessible from the
Internet.
So I think it's a worse problem but less widely exploitable.
Linux servers can be quickly upgraded and patched, but I suspect the
real long term problem will be firmware or embedded systems where you
don't know if it uses bash, dash, busybox or some other shell.
See: https://www.schneier.com/blog/archives/2014/01/security_risks_9.html
ps. I wonder if it's time that technical people should be encouraged to
carry at all times a baseball bat, 2x4 or other LART instrument to be
applied to anyone in the current enviroment that talks of an "Internet
of Things". Responses to "The Cloud" can be left up to an individual.
--
#---------------------------------------------------------#
| John Edwards Email: john at cornerstonelinux.co.uk |
#---------------------------------------------------------#
More information about the GLLUG
mailing list