More like this

Weekend Edition

SMASH the Bash bug! Apple and Red Hat scramble for patch batches

'Applying multiple security updates is extremely difficult'

Bug bounties

A fresh dump of Shellshock patches were released on Friday night in the latest move to stamp out the Bash shell security vuln that has the potential to blight millions of Linux, Unix and Mac OS X machines.

Red Hat said in a blog post that the threat from Shellshock was receding now that patches had been issued for most operating systems affected by the bug.

It comes after Apple said that "the vast majority of OS X users are not at risk" from the vuln.

Fanbois who run an advanced blend of Unix on the Mac OS X were exposed to Shellshock, Apple added. It was reportedly cooking up a software update for those users on Friday.

Meanwhile, hackers have been trying to exploit the Shellshock security flaw - which can allow wrongdoers to hijack machines - just as tech outfits around the world scrambled to squish the 22-year-old Bash bug.

Red Hat said that it had now issued new patches for the bot, after its first round of fixes proved to be incomplete.

The company's security engineer Huzaifa Sidhpurwala explained:

The original flaw in Bash was assigned CVE-2014-6271. Shortly after that issue went public a researcher found a similar flaw that wasn’t blocked by the first fix and this was assigned CVE-2014-7169.

Later, Red Hat Product Security researcher Florian Weimer found additional problems and they were assigned CVE-2014-7186 and CVE-2014-7187. It’s possible that other issues will be found in the future and assigned a CVE designator even if they are blocked by the existing patches.

The Red Hat engineer went on to explain why the company didn't immediately pump out more patches once it became clear that the initial fix was incomplete.

When a second issue with Bash was found a few minutes after the first one went public, we knew there was something wrong. We could have followed a duct-tape approach and issued patches to our customers quickly or we could have done this correctly. Applying multiple security updates is extremely difficult!

When CVE-2014-7169 went public, there was a lot of visible confusion around how to address this issue. This was fuelled by the media and by the fact that exploits were immediately available on the internet.

Red Hat carefully analysed the root cause of the issue and wrote and tested patches. We posted these patches to the community for review and allowing everyone to freely use them if they wanted to. Doing things correctly takes time!

The flaws in Bash had gone undetected for so long, Sidhpurwala added, because they "were in a quite obscure feature that was rarely used". ®