Shell Shock, Take a Pause

Wikimedia_advisory_board_meetingAfter reviewing the depth of the shell shock vulnerability experts seem to be taking a step back to come up with a more considered plan. As mentioned in yesterday’s blog the problem appears to be deeper than it originally appeared and may require more than just a fix of the problem program named bash. It may require changes by IT staff across the globe to change programs or test programs with a substitute program for bash.

Researches are now divided on how sever this problem is. From my own research I see that a good portion of what was originally thought to be a problem are not a problem. See my own caveat in the previous blog. The problem also does not appear for automatically run programs in one of the most common server platforms (the one affinity CM uses, Ubuntu). But the depth of the problem is apparent when looking at some programs in depth.

Fixes

Currently affinity CM is running without bash. A simple fix for IT administrators allow all request for bash to be run by a substitute called dash. Also all accounts were changed to use dash in place of bash. So even if a program asks for bash it will get dash. Our file server, mail server, web server and virtual host server all are working with the substitute.

In fixing out installation I also discovered that all automatically run programs by default use dash and not bash. The program would have to specifically ask for bash to get it. That is good. And even if a system program asked for bash our fixes will give it dash.

Depth of The Problem

To determine how frequently bash is requested I scanned a computer that does program development and testing plus a directory where program development for clients is done.

Though code (programing) that is developed by affinity CM currently has no reference to bash I know it has been used in the past.

The troubling part is the code brought in from other sources. I found numerous requests for bash in this foreign code. The developers of the foreign code will determine if bash is really needed and change the requests accordingly or wait for a fix for bash. On our systems though they will automatically be given the safer dash program even if they explicitly request bash. So far this has not proved to be a problem.

THE Fix

Currently with the draconian fixes proposed by some I’m sure the big shots in the industry are weighing in with their feedback. And like me I see that the technophiles are putting in their fixes and making suggestions as how to fix the issue. It may be a while for all the issues to get fixed especially for complex systems in specialized areas. But I believe that simpler systems or those programs that are widely used will have a fix. An individual, simple, installations that have a competent IT staff will be able to put in a temporary fix until a permanent fix is in, as we have done here at affinity CM.