Shell shocked – but what should you do about the Bash bug?

A serious security flaw has been discovered in a ubiquitous utility program present on a wide variety of important computer systems, including many Unix-based servers and Macintosh desktop computers.

Shell shock”, as it has been dubbed, has meant another round of sleepless nights for system administrators around the world as they attempt to protect their systems, and Mac users should be wary until a fix for their systems is available.

The security flaw, discovered by Edinburgh-based programmer Stephane Chazelas, affects a software tool called Bash.

Bash – the duct tape of a Unix system

Bash is a Unix shell, or “command-line interpreter”, which is a tool that people who used a personal computer in the 1980s and early 1990s were all too familiar with, but younger computer users may never have seen directly.

A shell being used interactively. This system has Bash installed, but uses an alternative for system administration purposes.

Shells have a similar job to the recently reinstated Start Menu on a Windows PC – they are used to start other applications on a system. Despite the fact that most non-technical users haven’t had to use shells for many years, they are still installed on every Windows or Mac OS X computer, as well as all Linux and Unix systems.

Windows systems use their own unique shell, which is not affected by the current bug. But many (though not all) Unix-based systems, including Mac OS X, by default use Bash.

Bash (which stands for Bourne Again SHell) was first released in 1989 by programmer Brian Fox and is now distributed as free(open source) software by the GNU Project. Its design can be directly traced back to the origins of Unix in the late 1960s.

System administrators and programmers still often use shells directly, for a variety of reasons. But the security risk from the current bug primarily relates to another use of shells – as a largely invisible intermediary when one program starts another.

Starting a program may appear simple, but the process of figuring out exactly which program to execute, and providing configuration information, can actually be quite complicated.

Therefore, many systems delegate this process to the shell, rather than tackling it directly, and Bash acts as the duct tape that binds systems together. For instance, the Apache web server can use Bash in this way to invoke other programs to generate dynamic web pages.

Mishandling configuration information

The bug in Bash, present in all versions dating back at least to 1994, relates to the handling of configuration information. (A more technical summary of the bug and its consequences is available from Unix vendor Redhat.)

Bash should simply pass such configuration information to the programs it starts on either the user’s or another program’s behalf. But a maliciously formatted configuration “string” can cause Bash to do literally anything the “user” running Bash has permission to do.

When Bash was used as originally designed, by a human at a command prompt, this was no big deal. A user who could enter these configuration strings could issue the same (potentially malicious) commands at a command prompt anyway.

The problem today is that other programs, accessible via a network, pass information received from possibly malicious sources on the internet as configuration strings to Bash. Bash could then misinterpret these as commands to execute.

For instance, as previously mentioned, one way the common Unix-based Apache web server can dynamically generate web pages uses Bash in an intermediary role.

If this particular feature is enabled on a specific web server, a remote attacker could send a malicious request for a web page that causes Bash to be invoked, and the malformatted configuration information passed to Bash. Bash will then run the commands the attacker requests on the web server, giving the attacker full control over the server.

For more details, click here.

The Latest Software Testing News department was not involved in the creation of this content.

Accuris Networks Receives $15 Million Investment and Hires Wireless Industry Leader Jeff Brown as CEO

Silicon Valley, California and Dublin, Ireland – September 24, 2014 – As demand for mobile data continues to accelerate worldwide, the telecom industry is increasingly trying to meet the challenge of connecting disparate networks. At the center of this movement, Accuris Networks (, a global leader in cellular and Wi-Fi connectivity, announced today that it has completed a $15 million equity funding round. Key new investors in this privately held company are the Ulster Bank Diageo Venture Fund and the China Ireland Growth Technology Fund. In addition, Accuris Networks announced the appointment of seasoned U.S.-based wireless executive Jeff Brown as CEO.

According to Accuris Networks Chairman Larry Quinn, “Our established industry customer base, our significant pipeline and our industry-leading technology were all factors that attracted this investment. We intend to use this funding to invest in future product development in our AccuROAM™ platform, to maintain our lead in connecting networks and build more solutions such as carrier-grade Wi-Fi offload and roaming as we scale our business globally. While we already have customers worldwide and support from existing investors such as Atlantic Bridge Capital, we particularly want to expand in China, Japan and other Asian markets. We also intend to consolidate and amplify our successes in EMEA, particularly in the Middle East and Western Europe.”

Under the leadership of its new U.S.-based CEO, Accuris Networks will also broaden its presence in the North American market with the establishment of a new Silicon Valley office. “With marquee customers and partners such as AT&T, Bell Mobility, Telus, GoGo, Cisco, HP and Alcatel-Lucent, Accuris Networks has already established an enviable track record in this market,” said Jeff Brown. “But we’ve barely scratched the surface of the opportunities here so far.”

New investor Ulster Bank Diageo Venture Fund L.P., managed by Investec Ventures, is a leading investor in the Irish technology sector. According to Michael Murphy, Managing Partner, the fund is investing in Accuris Networks because of the experience of its team and the ever-increasing demand for Wi-Fi offload solutions that help ease congestion and capacity constraints across mobile networks as data traffic continues to grow exponentially. “The AccuROAM platform has received wide recognition, including being named the ‘best mobile technology breakthrough’ at Mobile World Congress,” he said. “With so many experts — and customers – using this proven technology, we see major revenue potential in a future where Wi-Fi will only increase its penetration.”
Summit Bridge Capital, which manages the China Ireland Growth Technology Capital Fund, also sees huge promise in Accuris Networks and its products. According to David Lam, Managing Director, “Connecting networks is one of the hottest areas in this market, whether new networks or legacy networks, and the AccuROAM platform does it best. The many wins with Tier 1 customers are only the beginning of this company’s potential growth.”

Accuris Networks’ newly named CEO Jeff Brown is an industry veteran who was previously president and CEO of mobile technology company Kineto Wireless. He held similar positions at RadioFrame Networks and was earlier the CEO of Data Critical, a wireless healthcare company, where he spearheaded an eventual sale of the company to GE Medical Systems. Brown also held executive positions at McCaw Cellular, AT&T Wireless and PacTel Cellular.

Fran Cator | RealWire

1 100 101 102