department menu

Shellshock - a Bash Vulnerability

By Jeroen Barendse

Explaining the “Shell Shock” bug

On September 12, 2014 a new vulnerability (in a program called Bash) bug was discovered by a French computer genius named Stéphane Chazelas.  Bash is a commonly used “shell” environment used for command line operations in the Linux and Mac operating systems - Windows systems are not affected. What he discovered was that this bug would allow an unauthorized entity to remotely execute commands on your computer through the command line.  The command line is a very powerful tool that translates text based commands into computer language. This means that anyone aware of this vulnerability could execute a variety of potent commands on your computer without your knowledge.

How does this affect you?

According to the New York Times roughly 70% of the Unix based (Linux and Mac OS X) computers throughout the world are affected by this bug[1]. If your computer is out of date or running an old version of Mac OS or Linux, your computer is very likely at risk!  It is recommended that you update your machine immediately to minimize your exposure to this vulnerability.

Bash is not native to Windows, but Cygwin, a Windows version of Bash, is vulnerable. Beyond that, Shellshock has the potential to affect anyone visiting a website hosted on a vulnerable server - if the server has been compromised via Shellshock, it could deliver other malware.

Apple stated on September 26, 2014, “The vast majority of OS X users are not at risk to recently reported bash vulnerabilities...”  According to Apple, unless you have configured advanced access on your computer, you are not at risk to this vulnerability. Apple has released an update to help insulate Mac OS X from these attacks that can be downloaded through Software Update. For instructions on how verify that your computer not at risk go to Krebson Security: Apple Releases Patches for Shellshock Bug. However, this does require use of the Terminal and is only recommended for advanced users.

What are we doing about this?

Linux: The organization that publishes Bash has already released a patch to close this vulnerability.  We have updated all our systems that could potentially be affected.

Mac OS X: As stated above, Apple has released an update addressing this vulnerability.  We have updated all machines running Mac OS X.

More Information