Advertisement

What is the Shellshock Bash bug and why does it matter?

By now you may have heard about a new bug found in the Bash shell. And unless you're a programmer or security expert, you're probably wondering if you should really worry. The short answer is: Don't panic, but you should definitely learn more about it, because you may be in contact with vulnerable devices.

This bug, baptized "Shellshock" by Security Researchers, affects the Unix command shell "Bash," which happens to be one of the most common applications in those systems. That includes any machine running Mac OS X or Linux. The "shell" or "command prompt" is a piece of software that allows a computer to interact with the outside (you) by interpreting text. This vulnerability affects the shell known as Bash (Bourne Again SHell), which is installed not only on computers, but also on many devices (smart locks, cameras, storage and multimedia appliances, etc.) that use a subset of Linux.

But, what is it?

The bug is a little hard to explain without getting technical and mentioning some programming terminology, but bear with us, because it's not difficult to understand. Basically, an attacker can run code by simply asking for basic information from your computer, a server or an "internet of things" (IoT) device. Now, your computer is most likely unaffected because you are (and should be) running a firewall and blocking external requests not initiated locally by the software already authorized to run, but servers and IoT devices are a different issue.

Let's start with your computer. If you have a Mac OS X or Linux system, open the Terminal and run this line of code:

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

If you see the word "vulnerable" as an answer, your system is, well... vulnerable.

Your Bash shell is simply running more code after a function (the "() { :;};" part), and that shouldn't be happening. The function is the "allowed" code, while everything after it is where the potentially "malicious" code could be installed.

What can an attacker do?

The remote execution (over the internet or a network) of extra code could let an attacker load malware on a system and steal private information, delete files, activate your camera, open a lock and, well, do pretty much anything with a little know-how. However, as we mentioned, this is not something that should matter much on a user's computer with a working firewall, because it hasn't been proven possible to take advantage of the bug under that scenario.

A server, well, that's a completely different story, because a server has to listen to requests in order to "serve" (pun intended) its purpose. This means that by requesting almost any data and running malicious code, an attacker can infect any affected server, which is about 60 percent of web servers out on the internet, most routers (even your home router) and many consumer devices (including security cameras and "smart" appliances -- which don't seem so smart right about now). This is because smart appliances are a form of servers.

How can this problem be solved?

It's super simple to solve this problem. Many software developers have already issued patches and more are being released by the hour. Two of the most popular Linux distributions, Red Hat and Ubuntu, already have patches available, and we suspect Apple will soon release its fix. Updating a system takes almost no time. It's a simple process and it's a common task for most users. The problem is with systems that are not often updated. For example: It's not very common to update the software on your router, and even less common to update something like a door lock, a light switch or a security camera.

The internet of things complicates the situation because there are many more devices that should be updated, and for some, the manufacturers may not even issue patches. However, most of the devices are configured to function in a secure manner, behind a firewall. Regardless, if you suspect your "things" use a version of Linux (and there's a really good chance they do), we recommend you check for updates and even inquire about them from the manufacturer.

The bottom line is: this is a serious bug, but patches are available and should be installed promptly. But, there's no doubt we'll be hearing plenty more about Shellshock and the problems it can cause in the coming days and weeks -- especially since it's gone unnoticed for around 25 years. There's a lot of holes out there to patch.

Update: In a statement to iMore, an Apple representative said "the vast majority of OS X users are not at risk...With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services." According to Apple, there is a patch coming soon for those users who could be exposed.