A 22 year-old fracture of a Shell.

A 22 year-old fracture of a Shell.

Do you know Bash ?

Short for “Bourne-Again Shell”, it's a piece of software that was coded by Brian J. Fox in 1987. It is the default command processIt is also used by about seventy percent of the Internet servers. It is an open-source program that has been maintained by an unpaid volunteer, named Chet Ramney, for the last 22 years.

or and interpreter of several Unix systems (the GNU/Linux systems for example) and of the Macintosh operating systems.

Last September, Chet Ramney was contacted by an open source community member, named Stephane Chazelas, about a potentially dangerous bug. Working together with Ramney and other people working on open-source security, he managed to make a patch fixing the bug in several hours. Then they tried to contact the major software makers without tipping off hackers.

But as soon as the bug was reported, security researchers detected a widespread scanning activity on the Internet, by both people calling themselves white hat hackers, examining systems to find the flaws and correct them, and people thought to be cyber criminals. So security researchers fear that hackers will quickly find the flaw and write a program that can use it. They recommended that the users stay abreast of the updates proposed by software makers, so that they get the patch fixing the bug in Bash before someone ill-willed tries to take advantage of it.

Indeed, “Shellshock”, that's the name of the bug, is much more dangerous than “Heartbleed”, a bug that was discovered a short time ago, and to which journalists often refer while speaking about Shellshock. While cyber-criminals were only able to do things of relatively minor importance like stealing passwords in Internet servers with Heartbleed, Shellshock allows them to take total control of a machine.

Nevertheless, Internet severs are much more vulnerable than common users to attacks using this flaw. Indeed, hackers have to know which network the user is connected to and have access to this network, while the Internet servers are always connected to the Internet and their localization is known.

As you may guess, the problem posed by Heartbleed and Shellshock is part of a bigger one which is the increase of software complexity. Every day, more and more pieces of software are built, which use themselves previously programmed software to work. So, if there is a flaw in one of the old pieces of software, it's not only the old ones but also the new ones that will be vulnerable to hackers.

As a consequence, after the Heartbleed flaw was discovered last spring, the Linux Foundation worked with some major companies like Amazon, Apple and Google on a project named Core Infrastructure Initiative. Its goal is to identify and fund core pieces of open-source infrastructure, so that these kind of problems could be detected and solved more quickly and efficiently.