There’s a new security flaw making headlines this week, and tech experts are saying that it could be even bigger and more widespread of a threat than the Heartbleed bug that made the news earlier this year. Dubbed “Shellshock”, it’s a vulnerability in the “Bash” Unix shell. If that sounds confusing to you, then read on as we take a closer look at this new threat and how you can ensure that you are safe.
Bash is the name of a command shell for Unix, and it is generally the default Unix shell command line processor for OS X operating systems, Linux, and a few others. The name bash comes from it’s longer name, the Bourne-again shell (for more on the history, check out the Wikipedia entry). The Bash shell has been around since 1989 and it is used not only in operating systems but also in internet software, hardware, and even exists deep in the code of websites that rely on Unix or Linux.
This particular vulnerability has been around since the inception of Bash, although it hasn’t come to light until recently. There is some evidence that hackers had been exploiting the bug before it came to wider public attention a few days ago, but unfortunately now that it’s mainstream knowledge there are more and more hackers jumping on the bandwagon by the minute.
It’s a larger problem than Heartbleed because of the fact that Bash is incredibly widespread in its usage and it often exists out of public sight deep within servers, websites, mainframes, modems, and other hardware that uses Linux or Unix as its base.
The basis of the vulnerability lies in the fact that it allows hackers to execute commands in the Bash shell that shouldn’t even be recognized as commands in the first place. They do this by hiding the malicious command in text that Bash should technically ignore. The hacker can then begin to execute commands deep within the system and essentially take over the computer or inject malware that takes over the computer.
The implications are, in short, a little harrowing:
While the use of Shellshock for highly targeted attacks on systems that you probably don’t even know about within your network is the biggest long-term concern, the short term possibilities are frightening. The code linked to above could quickly create a SQL Slammer type Internet meltdown. (Forbes)
Bash is embedded and accessed in so many ways that we cannot fully understand its depth of use. Many systems you would never think of as having a command line use bash to run other programs. … We cannot possibly understand all the ways an attacker could interact with Bash to exploit this vulnerability. — Robert Graham of Errata Security
For once, Windows users are safe from this bug as Windows does not use Unix in its operating system. If you’re just a regular Joe internet user, you probably won’t experience much fallout from this bug just yet. The people who have more cause for worry are those running larger public systems such as mainframes, server farms, large websites, and other systems.
Patches are becoming available for the fix, but it’s hard to say when we can rest easy from this threat.
U.S.CERT has put out an advisory to allow Mac users to test to see if their system is vulnerable. Go to Terminal and input:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
vulnerable this is a test
An safe (or patched) system will output:
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Here is a video that attempts to give you a layman’s explanation of Shellshock:
