{"id":15014,"date":"2014-10-06T16:43:14","date_gmt":"2014-10-06T16:43:14","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2695"},"modified":"2020-02-26T18:49:19","modified_gmt":"2020-02-26T16:49:19","slug":"why-the-discovery-of-big-bugs-is-a-good-thing","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/why-the-discovery-of-big-bugs-is-a-good-thing\/15014\/","title":{"rendered":"Why the discovery of “big” bugs is a good thing"},"content":{"rendered":"

2014 will be going down in the cybersecurity history books with two gargantuan flaws in widely used software discovered over the course of six months \u2013 or less, actually.<\/p>\n

The bugs have a lot in common: They were both discovered in widely (or globally) used open-source software and \u2013 as if things weren\u2019t bad enough \u2013 both were quite easy to exploit (though the actual damage estimates are uncertain). Both Heartbleed<\/a> and Shellshock<\/a> caused a global scare and it\u2019s not hard to see why. By the way, that\u2019s probably the first time software flaws have received their own names.<\/p>\n

So why are \u201cbig\u201d bug discoveries a good thing? #security<\/p>Tweet<\/a><\/blockquote>\n

Further discoveries?<\/strong><\/p>\n

So what\u2019s next? Just after the Heartbleed revelation, some experts claimed more \u201cbig\u201d discoveries were on the way. Shellshock, discovered last month, proved that was correct. It\u2019s logical to presume that in a matter of months we will encounter something similarly \u201chuge\u201d.<\/p>\n

Despite all of the disturbances they may cause, the discovery of such bugs is a really good thing.<\/p>\n

\n<\/p>

A good thing<\/strong><\/p>\n

Yes, at first it looks like a disaster. Security experts ring the alarm; businesses owners call their IT staff to demand checking and patching jobs are done quickly; and admins gnash their teeth because it\u2019s Friday, 6:30 p.m., but comply because to not do so may be a disaster.<\/p>\n

That\u2019s actually the best-case scenario. The worst (and much more common) is that despite all the bells ringing a business owner shrugs off the news. The patching is done months later, at best. Admins love to say \u201cdon\u2019t touch it if it works\u201d, so all the updates are applied only if absolutely necessary. The question of whether or not a new big bad flaw creates such a necessity is usually a subject for debate.<\/p>\n

The more such serious flaws are discovered, the more we\u2019ll see best-case scenarios: the more these bugs are publicized, the more attention (and alarm) they draw.<\/p>\n

Speaking further of Heartbleed and Shellshock, it is necessary to mention that both have been discovered and publicized by white-hat security experts. Just imagine if bad guys had discovered this instead.<\/p>\n

Code review<\/strong><\/p>\n

One more thing, mostly related to open source software: It is a bit of a shame that Heartbleed and Shellshock have been found in open source packages. Open source advocates often state the software\u2019s openness provides some extra security since every person capable of reading the code may inspect it and find the mistakes, if there are any.<\/p>\n

Unfortunately, this guarantees nothing: Heartbleed was introduced in 2012<\/a>, and evaded all revisions for two years. Shellshock was present in Bourne again shell, probably since 1992, i.e. for 22 years<\/a>, and again, no one had found it until recently.<\/p>\n

The possibility to inspect open code doesn\u2019t mean that code inspection is actually done, nor that it is done successfully.<\/p>\n

According to Robert Graham, the code of Bash itself is \u201cshockingly obsolete<\/a>\u201c: \u201cWe have modern objective standards about code quality, and bash doesn\u2019t meet those standards.\u201d<\/em><\/p>\n

Graham then goes on to criticize the Bash coding style, and apparently for good reason: It\u2019s a badly written code that sometimes makes it very difficult for code reviewers to ensure the safety of its functions. This is an issue not limited to Bash alone, but at least this explains why Shellshock kept slipping under the radar for that long.<\/p>\n

\"wide-3\"<\/a><\/p>\n

Business consequences<\/strong><\/p>\n

Given everything that\u2019s been said, what are the consequences for businesses and their IT staffs?<\/p>\n

First of all, it\u2019s about preparedness. The best-case scenario should become a routine one. Got a bug? Squash it as soon as the flyswatter is available from the software vendor\u2019s website, and don\u2019t wait until your place is crawling with them. It most likely won\u2019t be just your place (your company server) alone. Shellshock bug has been immediately exploited to create a big fat botnet<\/a> that\u2019s DDoS\u2019ing and bruteforcing. Who will its owners point at next? No one can guarantee it won\u2019t be you.<\/p>\n

Got a bug? Squash it now; the flyswatter is available from the vendor\u2019s site #security<\/p>Tweet<\/a><\/blockquote>\n

Also, an external code review for the open software packages used in the company\u2019s infrastructure may be quite a useful service. This will require funds, of course, but a successful attack would cost much more.<\/p>\n","protected":false},"excerpt":{"rendered":"

2014 is making its way into Cybersecurity history books with two global-scale software bugs discovered over 6 months. They are obviously not the last ones, and it is actually a good thing.<\/p>\n","protected":false},"author":209,"featured_media":15926,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[282,588,838],"class_list":{"0":"post-15014","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cybersecurity","10":"tag-heartbleed","11":"tag-shellshock"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/why-the-discovery-of-big-bugs-is-a-good-thing\/15014\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/why-the-discovery-of-big-bugs-is-a-good-thing\/15014\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/why-the-discovery-of-big-bugs-is-a-good-thing\/15014\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/cybersecurity\/","name":"Cybersecurity"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/15014","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=15014"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/15014\/revisions"}],"predecessor-version":[{"id":26361,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/15014\/revisions\/26361"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/15926"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=15014"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=15014"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=15014"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}