Shellshock, Heartbleed, and the Gradual Downfall of Open Source

The number 404 with shatter marks
credit: Wired.com
Back in April, we reported about Heartbleed, a vulnerability found in OpenSSL, the open source version of SSL. SSL is designed to protect the transmission of secure and important information over the web.

A new bug turned exploit has recently been discovered. This one is called Shellshock, and it lies in the very base structure of the internet itself. In fact, Wired says this is just the beginning.

In 1987, Brian Fox drove from Boston, Massachusetts, to Santa Barbara, California, with two massive reel tapes in the trunk of his car. On those tapes was Bash, a tool for the UNIX operating system he had written and tagged with a license that let anyone use the code and even redistribute it to others. After arriving in California, Fox continued to work on Bash, and gained other developers on his team to develop it as well. Eventually, Chet Ramey, a developer from Case Western Reserve University in Cleveland, took charge of the project and works on Bash in his spare time.

Bash found its way onto tens of thousands of machines. But somewhere along the way, in about 1992, one engineer typed a bug into the code. Last week, more then twenty years later, security researchers finally noticed this flaw in Fox’s ancient program. They called it Shellshock, and they warned it could allow hackers to wreak havoc on the modern internet. – Wired.com

Ramey isn’t positive, but told Wired he wouldn’t be surprised if he himself coded the bug back around 1992. That makes it possibly the oldest, significant-yet-unpatched bug currently known. At least, as far as anyone can figure out.

It makes one wonder if Open Source is as good as people claim it is.

Open Source is accessible. It’s often free, or very cheap, and extremely customizable due to its nature of having source code that isn’t hidden behind compiled executables. Anyone with programming knowledge can peer into its depths and change, update, or fix what they see. The idea behind Open Source was to use the “Many Eyes” rule developed by Linus Torvalds. It touted faster software releases and fixes, more secure software, and less bugs. In an ideal Open Source world, this would likely be the case.

“[T]here’s a lot of code that doesn’t actually get very many eyes at all,” Torvalds told Wired. “And a lot of open-source projects don’t actually have all that many developers involved, even when they are fairly core.”

This lack of developers defeats the purpose and idea behind Open Source and the “Many Eyes” ideal.

Another situation this brings to light is the lack of security auditing that is actually being. A lot of older code that sites at the core of the internet was created in a time when auditing that software didn’t really make sense. They never predicted that it would be such an integral piece of the communications network they created. And, by the time auditing made sense, the software had already been in use for 15 years. That doesn’t mean that large companies with the manpower and ability to do such audits shouldn’t actually do them, but they didn’t because it was just accepted to be safe.

Even with Shellshock, Brian Fox is still proud of the project he once drove across the country. “Its been 27 years of that software being out there before a bug was found,” [Ramey] says. “That’s a pretty impressive ration of usage to bugs found.” – Wired.com

PCWorld Magazine reported that patches have already been released, and have also already been hacked. According to their article, “…neither patch addressed the underlying risky behavior of parsing remotely originating strings.”

Red Hat product security researcher Florian Weimer has developed a more durable patch, and Ramey has accepted it as Bash-4.3 Official Patch 27, official last Saturday. Google security engineer Michal Zalewski recommends deploying Weimer’s patch manually unless your Linux distribution is already deploying it on their own. An easy way to tell is by typing foo='() { echo not patched; }’ bash -c foo on your command line. It will either respond that the command was not found or it will respond that your system is not patched.

This patch from Weimer also covers several other vulnerabilities recently discovered by Zalewski, two of which have not yet been publicly announced.