Mu [was: How worse is the Shellshock bash bug than Heartbleed?]

[coderman]

On 9/30/14, Georgi Guninski <guninski at guninski.com> wrote:
> ...
> I find this _much_ worse than the passive Heartbleed.
>
> How worse is the shellshock bash bug than Heartbleed?


a simplistic "shellshock worse than heartbleed" is
mis-characterization of the situation.

first, this presents a vulnerability without context, by itself. in
the real world, we care about vulnerability with respect to
exploitation. usually many vulnerabilities are leveraged together in
exploitation of notoriety.

in the sense of best practice and conservative security posture,
heartbleed could be worse by far. a strongly keyed, defense in depth
surreptitiously bypassed via bleeding. e.g. bleed UDP DTLS VPN to
access internal network, bleed intranet HTTPS for admin credentials to
critical infrastructure services.

the ability to send things to a bash shell, even restricted shell,
even constrained behind  application layers, was always seen as bad
practice for security conscious configurations - insiders get shell,
not untrusted inputs.

last but not least, this is all bullshit speculation; risk is a
perspective and shellshock or heartbleed is better or worse depending
on what you're looking at.

best regards,


P.S. #langsec asked how long you earth humans will be exchanging risky
bits with strangers.  i channeled djb and bet on "Forever!". [c.f.
http://cr.yp.to/talks/2014.07.10/slides-djb-20140710-a4.pdf "Making
sure software stays insecure"]