First if you are running a Microsoft environment, then you likely have nothing to worry about. The Bash code injection vulnerability is found primarily on UNIX, LINUX and Mac OS X.
Now on to what is ShellShock? ShellShock is the name that has been given to a bug found in the Bash (Bourne Again Shell) command-line interpreter, also known as a shell. The Bash shell is widely used as the default command-line interpreter on many operating systems including most flavors of Linux, many flavors of Unix, and Apple’s OSX. Bash shell can be installed on Windows and Android, however with those two it is not installed or used by default on these systems.
Who needs to be concerned? All users of Bash are vulnerable, however for the vulnerability to be exploited your computer needs to be connected to the Internet. Certain software is also required to provide attackers a route through to reach Bash.
Who is most vulnerable? Those running Internet servers, such as website hosting servers, are the most vulnerable and likely to be targeted in attacks. Home users, who say have an Apple running Mac OS, are unlikely to be targeted but could become victims of circumstance by using untrusted networks or if the Internet servers trusted and used by that home user become compromised this could cause a trickle down effect to home users. As a Mac user you would also have to have enabled certain services on your Mac to make you vulnerable.
What does this vulnerability do? The Bash shell bug will allow an attacker to have command line access; full access to the computer or server as if they are the legitimate operator. So anything you can do with your computer, now so can the attacker.
How wide spread could the affects of ShellShock become? When the Bash shell bug was first discovered there were hundreds of thousands of servers connected to the Internet vulnerable to this exploit. How many of these servers have now been compromised is not known. The bug itself has existed in the Bash shell code for over 2 decades; it is possible that some have previously discovered the bug and kept it to themselves or attackers may have been using it for malicious attacks for sometime before this public disclosure.
(There is debate among the tech community as to it being a “bug” or a “feature” as when Bash was originally created it was long before Apache httpd and other external access in were created…but that’s a whole different topic.)
Now that the bug has been made public every attacker is working hard to compromise computers before the patches are put in place; with hundreds of thousands of targets it’s a race against time between exploitation and getting the patches installed.
What do you do now? Apply your system’s patch or patches. Red Hat has setup a very helpful site to help diagnose and determine your vulnerability.
If you are running Mac OSX Apple has released a security patch, however this patch is not available via Software Update, instead you have to install the patch manually, see below for more information.
From Apple – OS X bash Update 1.0 may be obtained from the following webpages:
To check that bash has been updated:
- Open Terminal
- Execute this command: bash –version
- The version after apply this update will be:
OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)