The Shellshock bug could do more damage than the recent Heartbleed bug. Here's what you need to know.

Thomas Claburn, Editor at Large, Enterprise Mobility

September 27, 2014

4 Min Read

Jack the Ripper Caught: 8 Mysteries Tech Should Solve

Jack the Ripper Caught: 8 Mysteries Tech Should Solve


Jack the Ripper Caught: 8 Mysteries Tech Should Solve (Click image for larger view and slideshow.)

Shellshock, the name given to a pair of vulnerabilities in Bash, a shell program distributed on Linux, Unix, and OS X systems, has been assigned a CVSS score of 10, on a 1-to-10 scale. It's as serious as security bugs get.

Worse, the difficulty of exploiting Shellshock is rated "low." Almost anyone with an interest in malicious code will be able to build malware that uses the vulnerabilities. As if to demonstrate that, security companies began detecting Shellshock malware within hours after the vulnerabilities were disclosed.

Here's what you need to know.

How long has Bash been vulnerable?
About 22 years. According to the New York Times, Chet Ramey, senior technology architect at Ohio's Case Western Reserve University, has been maintaining the Bash open source project since then and believes that Shellshock dates back to a new feature introduced in 1992.

[Are we becoming a nation of complacency? Read Shellshocked: A Future Of ‘Hair On Fire’ Bugs.]

The earliest version of Bash affected by the vulnerability, 1.14, dates back to 1994. The most recent version, 4.3, is also vulnerable. News of the vulnerability appears to have surfaced on Wednesday.

Which machines are vulnerable?
The vulnerabilities affect machines running Linux, BSD, and Unix distributions, including Mac OS X. Apple said in a statement to AFP on Friday that OS X is safe by default unless users have configured advanced Unix services. The company said it's working on a patch for those users.

Bash is not native to Windows, but Cygwin, a Windows version of Bash, is vulnerable. Beyond that, Shellshock has the potential to affect anyone visiting a website hosted on a vulnerable server -- if the server has been compromised via Shellshock, it could deliver other malware.

How many machines are vulnerable?
It's difficult to say. About 10% of personal computers run Linux or OS X. But then there are servers and Internet-connected devices to consider. Many security experts are comparing Shellshock to the Heartbleed vulnerability discovered in April. Heartbleed affected an estimated 500 million computers; the BBC suggests Shellshock could affect just as many, without providing details about how it arrived at that figure.

Is my machine vulnerable?
Shellshocker.net provides two tests, one for each vulnerability, (CVE-2014-6271) and (CVE-2014-7169). On a Mac, open the Terminal program and type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see "vulnerable" echoed in the response, your version of Bash is affected. Then type:

env X='() { (a)=>\' bash -c "echo date"; cat echo

If you see today's date (alongside any errors), your version of Bash is vulnerable.

Is there a fix?
Sort of. Major Linux vendors have released patches; Apple is working on one. US-CERT notes that patches for CVE-2014-6271 don't fix it completely (RedHat has said as much). US-CERT advises that people stay tuned for patches to resolve CVE-2014-7169 (RedHat's patch is available). Many security vendors have released detection tools and promise protection through their own software. RedHat has offered several mitigation methods for experienced IT administrators.

Why should I care?
Because these bugs allow an attacker to execute malicious code on affected machines, without any authorization check. And even if your machine is safe, you won't be happy when someone is able to steal your credit card numbers because these vulnerabilities affected someone else's server.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights