Bugs happen.
Every minute of every hour of every day, software bugs are hard at work,biting computer users in the proverbial posterior. Many of them gounnoticed (the bugs, not the posteriors). More still rise to the illustriouslevel of "bugs that are minor annoyances".
Yet sometimes, when the stars align just so, a bug manifests itself in atruly glorious way. And when I say "glorious", I mean "utterly destructiveand soul-obliterating".Nowhere are these bugs more insidious than when they are within the operatingsystems (and key components) themselves.
Case in point: an October 2018 bug in an update for Windows 10 caused entireuser folders to be deleted. Documents? Gone. Pictures? Like they neverexisted at all. This was a singular OS update that vaporized files fromlow-Earth orbit.
After that bug impacted roughly 1,500 Windows 10 users—before it even hit widespread distribution—Microsoft pulled the update entirely.
Then, after the engineering team in Redmond thoroughly tested and fixed thisgnarly bug, they did the only obvious thing: re-release the systemupdate—with another file-destroying issue. This time it was in their un-zip functionality.More files lost to the sands of time.
Seriously. That actually happened.
Things aren't necessarily that much better over in Apple land, either.
A little more than a year ago—at the end of November 2017—a bug occurredin Mac OS X (yeah, I know they've renamed it "macOS", but I'm stubborn andI'll call it what I want) that allowed anyone to gain root access to any Macintosh(running the latest version of the OS) by following these extremely complexsteps:
- Turn on a Macintosh.
- Type
rootas the user name and leave the password blank. - Press Enter.
I know. I know. That'll be hard to remember, right?
To Apple's credit, the company did manage to release a system update ratherquickly, thus minimizing the potential damage. But, just the same, I'd saythat one calls for a "yikes"—possibly even an "oh, dear".
As satisfying as it is to make fun of Microsoft and Apple—and, boy howdy, isit ever—we in the Linux (and general Free and Open-Source Software world)are not immune from highly embarrassing, crazy destructive bugs and securityvulnerabilities.
What follows are two that I find rather interesting. One is a remote exploitthat had serious ramifications. The other is a local security bug that,well, I find amusing.
Note: there are lots of bugs—more than likely can be cataloged—inevery system on the planet. These are just the two that I picked.
For the first one, let's travel back to the year 2014—September 24th, to beprecise. Taylor Swift and Meghan Trainor were dominating the radio. TheGuardians of the Galaxy were busy doing their galaxy-guarding thing.
And ShellShock was unveiled to the world: a "privilege escalation" bug (orrather, a series of related bugs) in Bash that allowed commands to beexecuted...that should not be accessible to that shell instance. Obviously,that's a bad thing.
Although technically not Linux-specific (it impacted multiple systems thatutilize the Bash shell), Linux was (due to its popularity in internet-facingservers) the system that got the bulk of the attention.
By the next day, September 25, 2014, attacks already were occurring that took advantageof ShellShock, including botnets targeted at critical web infrastructure andthe United States Department of Defense.
Thanks to the hard work of the Bash maintainers, along with those working onvarious Linux distributions, the bug was patched, and the patch was released within two tothreedays for all the major Linux systems. Apple, who also was impacted byShellShock, managed to release fixes a few days later.
Although these sorts of issues are never fun—and don't make anyone lookgood—at least we can take comfort in the fact that we (in the Linux world)patched our systems before Apple did.Gotta take pleasure in the little things in life.
This next bug ranks in as myfavorite Linux bug of all time. (Yes, I have afavorite bug. And, yes, I agree, that's odd.) It goes a little somethinglike this.
Picture yourself in December 2015, sitting in front of your lovelycomputer, running any of a variety of major distributions.
You turn that lovely machine on and get to the Grub (Grub2, to be precise)menu. Hit backspace. Then hit backspace again.In fact, hit backspace 26 more times (28 in total), and boom—you'reentered into a rescue shell.
What can you do in said rescue shell? Well, as it turns out, just aboutanything you can dream up, including, but not limited to, loading a customLinux kernel (providing the opportunity to rootkit the main system),deletingall manner of data and even deleting Grub itself.
But, don't worry, this impacted only any version of Grub between 2009 and2015—so, you know, six years worth of Linux distributions (includingdesktops, servers, mobile devices and embedded systems). Or, as I like tocall it, "Just about every important, and not-so-important, computer onEarth." No biggie.
Once again, the maintainers of the major Linux distributions were right onthe case—most with fixes pushed out to their repositories within days (ifnot hours) of the exploit being released to the public.
If you are somewhat new to the wonderful world of Linux and, thus, didn't getto live through those fun moments in time, never fear. If I've learnedanything about software, it's this:There'll always be more bugs. And, going on odds, the ones next year will bemore destructive than the last crop.
Let's just hope they're at least as entertaining as hitting backspace 28times.
Bryan Lunduke is a former Software Tester, former Programmer, former VP of Technology, former Linux Marketing Guy (tm), former openSUSE Board Member... and current Deputy Editor ofLinux Journal, Marketing Director for Purism, as well as host of the popularLunduke Show. More details:http://lunduke.com.
Recent Articles
